Re: Proposal to include obligatory PGP verification of packages from any repository

[Jean Louis]

* Stefan Monnier <monnier@iro.umontreal.ca> [2020-10-19 23:23]:
> > I would rather expect message shown, just as it is not shown for
> > unsigned packages.
> 
> `package.el` should emit a message when installing a package without any
> signature, since that's the odd and undesirable case.  I find it
> perfectly normal not to say anything when the signature check succeeded.
> 
> > Regarding packages in GNU ELPA, can I now assume they are all signed?
> 
> Of course.  It's been that way since Emacs-24.4, IIRC.
> 
> > Is there a policy that GNU ELPA packages should be signed?
> 
> Not sure what that would mean: *we* sign it, so there's no policy to
> enforce.  At most there are bugs to fix if the sigs are missing
> or incorrect.

It would be good to implement the policy.

> > What I expect is a method for user to easily verify and know by which
> > key was which package signed, such function should exist.
> 
> What does Debian do in this respect?

There are ways to verify package authenticity, so it is automated and
there is way to verify it package by package, I am on Hyperbola
GNU/Linux-libre, derivative of Archlinux, there is way to use pacman
package manager to verify authenticity.

Vasilij pointed out how it should be done. Verifications in Debian or
Archlinux how I see it, happen in real time during installation and
that is by default.

> > I also expect that such verification should be by default, but default
> > was to accept unsigned, which is security issue in Emacs.
> 
> 2 reasons:
> - the sig-checking code (i.e. PGP) might not be installed and we did
>   not want to add it as a prerequisite.

You know it better, maybe gnutls can be used as it is how I see it,
part of GNU Emacs here, but may not be part on every OS, I do not
know. It has OpenPGP API:
https://www.gnutls.org/manual/html_node/OpenPGP-API.html

So instead of using external gpg program, maybe you as developers
could use gnutls library and that API to create signatures for
packages in case that PGP/GnuPG cannot work.

> - the signature system was introduced relatively shortly before it was
>   deployed for Emacs-24.4, so we did not want to break it for the other
>   ELPA archives.

I understand and I find it unfortunate, and still suggest that it
becomes enabled now, and not years there after.

> Regarding the second point, AFAICT Melpa still doesn't sign its
> packages, so its users presumably rely on `https` as their only line
> of defense.  One of the main reasons might be that there is/was no easy
> way to add other trusted keys to Emacs's keyring (tho the
> `gnu-elpa-keyring-update` shows it can be done) so even if they signed
> their packages their users would have to take some extra step to add
> their key to the trusted keys.

And that is in best interest of users.

I think that it sounds tedious, yet it is in best interest to users.