GNU bug report logs - #35414
26.2; ELPA packages signed with second, unknown key

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: emacs; Severity: important; Reported by: Brandon Invergo <brandon@HIDDEN>; Keywords: security; merged with #35534; dated Wed, 24 Apr 2019 12:57:01 UTC; Maintainer for emacs is bug-gnu-emacs@HIDDEN.

Message received at 35414 <at> debbugs.gnu.org:


Received: (at 35414) by debbugs.gnu.org; 30 Sep 2019 22:03:07 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Sep 30 18:03:07 2019
Received: from localhost ([127.0.0.1]:60688 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1iF3l5-0003ZM-F7
	for submit <at> debbugs.gnu.org; Mon, 30 Sep 2019 18:03:07 -0400
Received: from mail-pg1-f194.google.com ([209.85.215.194]:36637)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <stefankangas@HIDDEN>) id 1iF3l4-0003Yp-3a
 for 35414 <at> debbugs.gnu.org; Mon, 30 Sep 2019 18:03:06 -0400
Received: by mail-pg1-f194.google.com with SMTP id t14so8136587pgs.3
 for <35414 <at> debbugs.gnu.org>; Mon, 30 Sep 2019 15:03:06 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc;
 bh=qRhCeonjlBVDSTu72xp+rzJeN+gMbaXIoYKwzBz6ris=;
 b=ddlFWcxLnHo3MnPkpykIjrF+qpvuCOcWKwAldbZQ7fYYRhuaQoD0JkkQkqBVeHOKdE
 aO4uzgBwydrSzqDmyQnZDIxothSFVSofoieEwZ4MOeC6P79XCVnCqhuGlBAGZTT/CL0L
 /UnVMj5dV805iPU1gufOnvSxQtfu0a9F7LhthjCuswhNRFVBtTmNql2vqiB7dHzsy04C
 Ca/cJNG24IhmzI0obClqwKDSshyWA4XvvXuI8OvkgMVrpxU3NJJjg1g5+c7N4JxYvK5o
 mgIbi2RAwgR4FbleVqyjXEdBEhbKx5MidH+ylsFHOEM5Be6cUKXYKo1jqpD4Kj96fsqv
 qd8A==
X-Gm-Message-State: APjAAAV0UlqikiISOrgBY/zENeA+NtAdfg1jlVhrv5mKKSuKGXFytoEq
 3y8CgY6F13R2fKFfeeZjVEZq9Uj4adZbQn5q5qIOZcC1+V4=
X-Google-Smtp-Source: APXvYqxNGi7BHqvvZX6fMZxXb6fTHBRa6hJjOJkMmtGfGag2p0vsg1t8o7NVKmsVwvtWVTArWMvIpF703OXci2mRkX4=
X-Received: by 2002:a63:720f:: with SMTP id n15mr25500810pgc.198.1569880980449; 
 Mon, 30 Sep 2019 15:03:00 -0700 (PDT)
MIME-Version: 1.0
From: Stefan Kangas <stefan@HIDDEN>
Date: Tue, 1 Oct 2019 00:02:49 +0200
Message-ID: <CADwFkmm_Xdi50M2f9Je1t1uTs51LbD30pi0qdQt6UkxBJ7E=QA@HIDDEN>
Subject: Re: bug#35414: 26.2; ELPA packages signed with second, unknown key
To: Stefan Monnier <monnier@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.3 (/)
X-Debbugs-Envelope-To: 35414
Cc: 35414 <at> debbugs.gnu.org, Glenn Morris <rgm@HIDDEN>,
 Brandon Invergo <brandon@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.7 (/)

Stefan Monnier <monnier@HIDDEN> writes:

>> No, the bug is that the signature verification should not signal an
>> error before September 2019 even if you don't have the new key.
>>
>> Could you remove the gnu-elpa-keyring-update package, and the 2019
>> key from your keyring and try and help us figure out why you get
>> those errors and I don't?
>
> Oh, wait, I see it now: I had set package-check-signature incorrectly.
> So, I can reproduce the problem now with
>
>     (setq package-check-signature t)
>
> It works correctly if you've set it to the default `allow-unsigned`.
>
> I think it's a mistake: `allow-unsigned` should mean to allow installing
> packages when they don't have a signature at all, and `t` should mean
> to allow installing if at least one of the sigs is verified rather than
> only if all the sigs are verified.
>
> But that ship has sailed, so I'm going to have to rethink the transition
> to the new key.  Damn!

What's the status on this?  Anything else that needs doing before 27.1?

Best regards,
Stefan Kangas




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#35414; Package emacs. Full text available.

Message received at 35414 <at> debbugs.gnu.org:


Received: (at 35414) by debbugs.gnu.org; 8 May 2019 17:20:59 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed May 08 13:20:59 2019
Received: from localhost ([127.0.0.1]:33933 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1hOQFX-00075R-9R
	for submit <at> debbugs.gnu.org; Wed, 08 May 2019 13:20:59 -0400
Received: from mail01.iro.umontreal.ca ([132.204.25.201]:41948)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <monnier@HIDDEN>) id 1hOQFV-00075E-D7
 for 35414 <at> debbugs.gnu.org; Wed, 08 May 2019 13:20:57 -0400
Received: from mail01.iro.umontreal.ca (mail01.iro.umontreal.ca [127.0.0.1])
 by mail01.iro.umontreal.ca (Postfix) with ESMTP id 39CD78940A45
 for <35414 <at> debbugs.gnu.org>; Wed,  8 May 2019 13:20:52 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=iro.umontreal.ca;
 h=content-type:content-type:mime-version:user-agent:in-reply-to
 :date:date:references:message-id:subject:subject:to:from:from;
 s=dkim; t=1557336051; x=1558200052; bh=Xizi8hxDdceD0BTzqn8guNy/
 W4hldXi6vsxsYQ/p8FA=; b=WuF/8u2Ror0SV8mneG1XyaJiiKBFSrN6iCQpdypc
 UlBoxu9jQU8mX460WjoEV/Z5ZjzMa9xziQms7oen/lZPAu0an1XYXnZh9+Kpn4Ia
 RtDxauLJMsg7NhzBMg1JOnSChSVYcgP2wdxpYL7Iylp657vhMZHZJorA0/e04ud4
 tL/J3kPYFVp/cbxpLzkoBD6PUrs7V9mVgeBM0p64mj9gEprHZ88Tmjnk0ErXOcyI
 M3Ib6WMPDrbbQN9an+QvDEuy/FchOB61NVB0X7APOnbxGG4LfL+PsZQXUUau1jgE
 WQ9WWKFYk9i2/bnUbvOxcVJ7gvu3dJxynHC65EMGbiNCmg==
X-Virus-Scanned: amavisd-new at iro.umontreal.ca
Received: from mail01.iro.umontreal.ca ([127.0.0.1])
 by mail01.iro.umontreal.ca (mail01.iro.umontreal.ca [127.0.0.1]) (amavisd-new,
 port 10024) with ESMTP id 6HGH_bRvwpSS for <35414 <at> debbugs.gnu.org>;
 Wed,  8 May 2019 13:20:51 -0400 (EDT)
Received: from alfajor (modemcable213.149-175-137.mc.videotron.ca
 [137.175.149.213])
 by mail01.iro.umontreal.ca (Postfix) with ESMTPSA id 39C8C8940A2E;
 Wed,  8 May 2019 13:20:51 -0400 (EDT)
From: Stefan Monnier <monnier@HIDDEN>
To: Glenn Morris <rgm@HIDDEN>
Subject: Re: bug#35414: 26.2; ELPA packages signed with second, unknown key
Message-ID: <jwv4l64hni3.fsf-monnier+emacs@HIDDEN>
References: <87mukfsgtb.fsf@HIDDEN> <wsef5rwflb.fsf@HIDDEN>
 <jwvsgu7p5ui.fsf-monnier+emacs@HIDDEN> <875zr36oy6.fsf@HIDDEN>
 <jwvlfzz9h15.fsf-monnier+emacs@HIDDEN>
 <jwvftq79fkt.fsf-monnier+emacs@HIDDEN>
 <76a7gfvw7g.fsf@HIDDEN>
Date: Wed, 08 May 2019 13:20:50 -0400
In-Reply-To: <76a7gfvw7g.fsf@HIDDEN> (Glenn Morris's message of
 "Wed, 24 Apr 2019 19:07:31 -0400")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 35414
Cc: 35414 <at> debbugs.gnu.org, Brandon Invergo <brandon@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> BTW I imagine 26f9a77 should be in the emacs-26 branch.
> (Although no announcement has been made about the future of that
> branch AFAIK.)

I wasn't 100% sure that it was safe, so I wanted to give it some
exposure in `master` first.  But yes, I just pushed that change to
emacs-26.


        Stefan




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#35414; Package emacs. Full text available.
Forcibly Merged 35414 35534. Request was from Noam Postavsky <npostavs@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at 35414 <at> debbugs.gnu.org:


Received: (at 35414) by debbugs.gnu.org; 25 Apr 2019 08:39:06 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 25 04:39:06 2019
Received: from localhost ([127.0.0.1]:57383 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1hJZuL-0002Rc-Vx
	for submit <at> debbugs.gnu.org; Thu, 25 Apr 2019 04:39:06 -0400
Received: from pdx1-sub0-mail-fallback-a1.dreamhost.com ([64.90.62.138]:47626)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <brandon@HIDDEN>) id 1hJZuK-0002R9-B0
 for 35414 <at> debbugs.gnu.org; Thu, 25 Apr 2019 04:39:04 -0400
Received: from pdx1-sub0-mail-a57.g.dreamhost.com (unknown [10.35.43.53])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by pdx1-sub0-mail-fallback-a1.dreamhost.com (Postfix) with ESMTPS id
 41B9F278219; Thu, 25 Apr 2019 01:38:57 -0700 (PDT)
Received: from pdx1-sub0-mail-a57.g.dreamhost.com (localhost [127.0.0.1])
 by pdx1-sub0-mail-a57.g.dreamhost.com (Postfix) with ESMTP id 56D0B7F09F;
 Thu, 25 Apr 2019 01:36:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=invergo.net; h=references
 :from:to:cc:subject:in-reply-to:date:message-id:mime-version
 :content-type; s=invergo.net; bh=KVmVoklEBGjkHWsk90s421N/ARA=; b=
 crxMaecbSU/qxBKen6vKZe9dmxcHZVkPKjZznVrIYkB2UH2ed5sd3QYKdHHSPHgW
 9lSZgYZUhy03AOujApyvCIQN31aa0sOrny3bl9Wx7SXvhFFRaEkGYSa2UHndBwmp
 +l3XQkbFnBZiGUHnmjgXqXadZ3kA8aIYBw6vU81iOpQ=
Received: from localhost (unknown [144.173.111.69])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 (Authenticated sender: brandon@HIDDEN)
 by pdx1-sub0-mail-a57.g.dreamhost.com (Postfix) with ESMTPSA id 52FDC7F0A7;
 Thu, 25 Apr 2019 01:36:47 -0700 (PDT)
References: <87mukfsgtb.fsf@HIDDEN> <wsef5rwflb.fsf@HIDDEN>
 <jwvsgu7p5ui.fsf-monnier+emacs@HIDDEN> <875zr36oy6.fsf@HIDDEN>
 <jwvlfzz9h15.fsf-monnier+emacs@HIDDEN>
 <jwvftq79fkt.fsf-monnier+emacs@HIDDEN>
User-agent: mu4e 1.2.0; emacs 26.2
X-DH-BACKEND: pdx1-sub0-mail-a57
From: Brandon Invergo <brandon@HIDDEN>
To: Stefan Monnier <monnier@HIDDEN>
Subject: Re: bug#35414: 26.2; ELPA packages signed with second, unknown key
In-reply-to: <jwvftq79fkt.fsf-monnier+emacs@HIDDEN>
Date: Thu, 25 Apr 2019 09:36:45 +0100
Message-ID: <87lfzyscpu.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: -100
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeduuddrheeggddtgecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucggtfgfnhhsuhgsshgtrhhisggvpdfftffgtefojffquffvnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpehffgfhvffujgffkfggtgesthdtredttdertdenucfhrhhomhepuehrrghnughonhcukfhnvhgvrhhgohcuoegsrhgrnhguohhnsehinhhvvghrghhordhnvghtqeenucfkphepudeggedrudejfedrudduuddrieelnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehlohgtrghlhhhoshhtpdhinhgvthepudeggedrudejfedrudduuddrieelpdhrvghtuhhrnhdqphgrthhhpeeurhgrnhguohhnucfknhhvvghrghhouceosghrrghnughonhesihhnvhgvrhhgohdrnhgvtheqpdhmrghilhhfrhhomhepsghrrghnughonhesihhnvhgvrhhgohdrnhgvthdpnhhrtghpthhtohepfeehgedugeesuggvsggsuhhgshdrghhnuhdrohhrghenucevlhhushhtvghrufhiiigvpedt
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 35414
Cc: 35414 <at> debbugs.gnu.org, Glenn Morris <rgm@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Stefan Monnier writes:

> But that ship has sailed, so I'm going to have to rethink the transition
> to the new key.  Damn!

At this point, it might just suffice to spread the word far and wide
that people using ELPA package verification need to 1) disable
verification, 2) install the transition package, and then 3) re-enable
verification.  A few well-placed announcements should directly reach a
substantial portion of ELPA users, while also potentially getting the
info indexed in search engines for more people to find when they get
affected.

All that said, I'm not an expert but an alternative strategy for the
future might be to extend the life of the original key (gpg --edit-key),
send it to a keyserver (gpg --send-keys), and then write an
"package-update-keyring" procedure that pulls updated public keys from
the keyserver (equivalent to gpg --recv-keys).  Of course, that doesn't
help the people who are not running the latest release that features the
update procedure, so a transitional package on ELPA that provides it
would still be necessary.

--
-brandon




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#35414; Package emacs. Full text available.

Message received at 35414 <at> debbugs.gnu.org:


Received: (at 35414) by debbugs.gnu.org; 25 Apr 2019 06:23:45 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Apr 25 02:23:45 2019
Received: from localhost ([127.0.0.1]:57268 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1hJXnM-0007ix-Mt
	for submit <at> debbugs.gnu.org; Thu, 25 Apr 2019 02:23:44 -0400
Received: from eggs.gnu.org ([209.51.188.92]:43548)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@HIDDEN>) id 1hJXnK-0007ik-P7
 for 35414 <at> debbugs.gnu.org; Thu, 25 Apr 2019 02:23:43 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:45382)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <eliz@HIDDEN>)
 id 1hJXnF-0001tc-3x; Thu, 25 Apr 2019 02:23:37 -0400
Received: from [176.228.60.248] (port=1890 helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256)
 (Exim 4.82) (envelope-from <eliz@HIDDEN>)
 id 1hJXnE-0003LW-7z; Thu, 25 Apr 2019 02:23:36 -0400
Date: Thu, 25 Apr 2019 09:23:17 +0300
Message-Id: <838svy1u3u.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Glenn Morris <rgm@HIDDEN>
In-reply-to: <76a7gfvw7g.fsf@HIDDEN> (message from Glenn Morris on
 Wed, 24 Apr 2019 19:07:31 -0400)
Subject: Re: bug#35414: 26.2; ELPA packages signed with second, unknown key
References: <87mukfsgtb.fsf@HIDDEN> <wsef5rwflb.fsf@HIDDEN>
 <jwvsgu7p5ui.fsf-monnier+emacs@HIDDEN> <875zr36oy6.fsf@HIDDEN>
 <jwvlfzz9h15.fsf-monnier+emacs@HIDDEN>
 <jwvftq79fkt.fsf-monnier+emacs@HIDDEN> <76a7gfvw7g.fsf@HIDDEN>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 35414
Cc: 35414 <at> debbugs.gnu.org, brandon@HIDDEN, monnier@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Glenn Morris <rgm@HIDDEN>
> Date: Wed, 24 Apr 2019 19:07:31 -0400
> Cc: 35414 <at> debbugs.gnu.org, Brandon Invergo <brandon@HIDDEN>
> 
> 
> BTW I imagine 26f9a77 should be in the emacs-26 branch.

Fine with me, thanks.




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#35414; Package emacs. Full text available.

Message received at 35414 <at> debbugs.gnu.org:


Received: (at 35414) by debbugs.gnu.org; 24 Apr 2019 23:07:40 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Apr 24 19:07:40 2019
Received: from localhost ([127.0.0.1]:56758 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1hJQzM-0005dE-0Z
	for submit <at> debbugs.gnu.org; Wed, 24 Apr 2019 19:07:40 -0400
Received: from eggs.gnu.org ([209.51.188.92]:54080)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rgm@HIDDEN>) id 1hJQzK-0005d1-FY
 for 35414 <at> debbugs.gnu.org; Wed, 24 Apr 2019 19:07:38 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:39219)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <rgm@HIDDEN>)
 id 1hJQzF-0005dA-AG; Wed, 24 Apr 2019 19:07:33 -0400
Received: from rgm by fencepost.gnu.org with local (Exim 4.82)
 (envelope-from <rgm@HIDDEN>)
 id 1hJQzD-00079F-Px; Wed, 24 Apr 2019 19:07:31 -0400
From: Glenn Morris <rgm@HIDDEN>
To: Stefan Monnier <monnier@HIDDEN>
Subject: Re: bug#35414: 26.2; ELPA packages signed with second, unknown key
References: <87mukfsgtb.fsf@HIDDEN> <wsef5rwflb.fsf@HIDDEN>
 <jwvsgu7p5ui.fsf-monnier+emacs@HIDDEN> <875zr36oy6.fsf@HIDDEN>
 <jwvlfzz9h15.fsf-monnier+emacs@HIDDEN>
 <jwvftq79fkt.fsf-monnier+emacs@HIDDEN>
X-Spook: enemy of the state South Africa Vickie Weaver Taiwan
X-Ran: K>~?BJu1[y+@xkkLf(|entg?WeWq,JiB*z>Q(Ugq?N_&v"<|=+;;^Foh,]Jj<Eyb>g2Wgd
X-Hue: cyan
X-Debbugs-No-Ack: yes
X-Attribution: GM
Date: Wed, 24 Apr 2019 19:07:31 -0400
In-Reply-To: <jwvftq79fkt.fsf-monnier+emacs@HIDDEN> (Stefan Monnier's message
 of "Wed, 24 Apr 2019 19:02:39 -0400")
Message-ID: <76a7gfvw7g.fsf@HIDDEN>
User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/)
MIME-Version: 1.0
Content-Type: text/plain
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 35414
Cc: 35414 <at> debbugs.gnu.org, Brandon Invergo <brandon@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)


BTW I imagine 26f9a77 should be in the emacs-26 branch.
(Although no announcement has been made about the future of that
branch AFAIK.)




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#35414; Package emacs. Full text available.

Message received at 35414 <at> debbugs.gnu.org:


Received: (at 35414) by debbugs.gnu.org; 24 Apr 2019 23:02:45 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Apr 24 19:02:45 2019
Received: from localhost ([127.0.0.1]:56749 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1hJQuZ-0005WC-NQ
	for submit <at> debbugs.gnu.org; Wed, 24 Apr 2019 19:02:45 -0400
Received: from chene.dit.umontreal.ca ([132.204.246.20]:47102)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <monnier@HIDDEN>) id 1hJQuX-0005W3-Eb
 for 35414 <at> debbugs.gnu.org; Wed, 24 Apr 2019 19:02:42 -0400
Received: from pastel.home (lechon.iro.umontreal.ca [132.204.27.242])
 by chene.dit.umontreal.ca (8.14.7/8.14.1) with ESMTP id x3ON2dI7005699;
 Wed, 24 Apr 2019 19:02:39 -0400
Received: by pastel.home (Postfix, from userid 20848)
 id 7234C6AE07; Wed, 24 Apr 2019 19:02:39 -0400 (EDT)
From: Stefan Monnier <monnier@HIDDEN>
To: Brandon Invergo <brandon@HIDDEN>
Subject: Re: bug#35414: 26.2; ELPA packages signed with second, unknown key
Message-ID: <jwvftq79fkt.fsf-monnier+emacs@HIDDEN>
References: <87mukfsgtb.fsf@HIDDEN> <wsef5rwflb.fsf@HIDDEN>
 <jwvsgu7p5ui.fsf-monnier+emacs@HIDDEN> <875zr36oy6.fsf@HIDDEN>
 <jwvlfzz9h15.fsf-monnier+emacs@HIDDEN>
Date: Wed, 24 Apr 2019 19:02:39 -0400
In-Reply-To: <jwvlfzz9h15.fsf-monnier+emacs@HIDDEN> (Stefan Monnier's message
 of "Wed, 24 Apr 2019 18:36:29 -0400")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 5
X-NAI-Spam-Score: 0
X-NAI-Spam-Rules: 2 Rules triggered
	EDT_SA_DN_PASS=0, RV6532=0
X-NAI-Spam-Version: 2.3.0.9418 : core <6532> : inlines <7059> : streams
 <1819631> : uri <2836672>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 35414
Cc: 35414 <at> debbugs.gnu.org, Glenn Morris <rgm@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> No, the bug is that the signature verification should not signal an
> error before September 2019 even if you don't have the new key.
>
> Could you remove the gnu-elpa-keyring-update package, and the 2019
> key from your keyring and try and help us figure out why you get
> those errors and I don't?

Oh, wait, I see it now: I had set package-check-signature incorrectly.
So, I can reproduce the problem now with

    (setq package-check-signature t)
    
It works correctly if you've set it to the default `allow-unsigned`.

I think it's a mistake: `allow-unsigned` should mean to allow installing
packages when they don't have a signature at all, and `t` should mean
to allow installing if at least one of the sigs is verified rather than
only if all the sigs are verified.

But that ship has sailed, so I'm going to have to rethink the transition
to the new key.  Damn!


        Stefan




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#35414; Package emacs. Full text available.

Message received at 35414 <at> debbugs.gnu.org:


Received: (at 35414) by debbugs.gnu.org; 24 Apr 2019 22:36:35 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Apr 24 18:36:34 2019
Received: from localhost ([127.0.0.1]:56711 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1hJQVG-0002pL-Iz
	for submit <at> debbugs.gnu.org; Wed, 24 Apr 2019 18:36:34 -0400
Received: from chene.dit.umontreal.ca ([132.204.246.20]:45935)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <monnier@HIDDEN>) id 1hJQVD-0002pC-OU
 for 35414 <at> debbugs.gnu.org; Wed, 24 Apr 2019 18:36:32 -0400
Received: from pastel.home (lechon.iro.umontreal.ca [132.204.27.242])
 by chene.dit.umontreal.ca (8.14.7/8.14.1) with ESMTP id x3OMaTcc002891;
 Wed, 24 Apr 2019 18:36:30 -0400
Received: by pastel.home (Postfix, from userid 20848)
 id CE6E36AE07; Wed, 24 Apr 2019 18:36:29 -0400 (EDT)
From: Stefan Monnier <monnier@HIDDEN>
To: Brandon Invergo <brandon@HIDDEN>
Subject: Re: bug#35414: 26.2; ELPA packages signed with second, unknown key
Message-ID: <jwvlfzz9h15.fsf-monnier+emacs@HIDDEN>
References: <87mukfsgtb.fsf@HIDDEN> <wsef5rwflb.fsf@HIDDEN>
 <jwvsgu7p5ui.fsf-monnier+emacs@HIDDEN> <875zr36oy6.fsf@HIDDEN>
Date: Wed, 24 Apr 2019 18:36:29 -0400
In-Reply-To: <875zr36oy6.fsf@HIDDEN> (Brandon Invergo's message of "Wed, 
 24 Apr 2019 23:03:29 +0100")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 5
X-NAI-Spam-Score: 0
X-NAI-Spam-Rules: 2 Rules triggered
	EDT_SA_DN_PASS=0, RV6532=0
X-NAI-Spam-Version: 2.3.0.9418 : core <6532> : inlines <7059> : streams
 <1819629> : uri <2836665>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 35414
Cc: 35414 <at> debbugs.gnu.org, Glenn Morris <rgm@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> I see.  Sorry, I only searched the bugs list but not the diffs list!

No need to apologize: the new sigs appeared before the keyring
was distributed.

>> Hmm... I just tried with Debian's Emacs-25.1 and with a new build from
>> the `emacs-26` branch:
>>
>>     emacs -Q --eval '(setq package-check-signature t)
>>     M-x package-list-packages RET
>>     M-x package-refresh-contents RET
>>
>> and didn't get any error.
>
> I suppose it's worth asking (but apologies if I misunderstand what's
> happening under the hood): did you perform this test with an empty
> keyring (or just with what's available in Debian's Emacs-25.1
> installation)?

The keyring was not empty, but only had the 2014 key.

> I suspect that you already have the new public key in
> your keyring, so you wouldn't experience the problem.

I was also afraid of that, so I double checked.

>> It's a brand new key that is now in etc/package-keyring.gpg in the
>> `master` branch of Emacs, as well as in the `gnu-elpa-keyring-update`
>> package in GNU ELPA.
>>
>> This is because the key 474F05837FBDEF9B is about to expire (it's
>> really high time we start preparing for the new key).
>
> OK, that should make things easy enough.

But I don't want for people to have to update their keyring already:
they'll need to do that some time before September, but updating your
keyring will just hide the problem you're seeing.

> Unfortunately, installing the package (after temporarily disabling sig
> verification) doesn't solve the problem for me.  Am I correct to assume
> that the package should "just work" after installing (and restarting
> Emacs)?

Yes, even without restarting Emacs.

> I looked at the ELPA git repo and saw that the keyring should be
> distributed in the etc subdirectory of the package.

Oh, duh, of course, the scripts decided to make a single-file package
out of it, so the keyring is missing.  I'll fix that.

> So, I guess the "bug" at this point is that it would appear that the
> keyring isn't properly installed with the keyring-update package.  I
> apologize for the original noise, since you obviously had already
> considered and worked on a fix for the underlying problem.

No, the bug is that the signature verification should not signal an
error before September 2019 even if you don't have the new key.

Could you remove the gnu-elpa-keyring-update package, and the 2019
key from your keyring and try and help us figure out why you get
those errors and I don't?


        Stefan




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#35414; Package emacs. Full text available.

Message received at 35414 <at> debbugs.gnu.org:


Received: (at 35414) by debbugs.gnu.org; 24 Apr 2019 22:03:46 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Apr 24 18:03:46 2019
Received: from localhost ([127.0.0.1]:56680 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1hJPzW-00022f-EB
	for submit <at> debbugs.gnu.org; Wed, 24 Apr 2019 18:03:46 -0400
Received: from orchid.birch.relay.mailchannels.net ([23.83.209.137]:61317)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <brandon@HIDDEN>) id 1hJPzS-00022V-Uw
 for 35414 <at> debbugs.gnu.org; Wed, 24 Apr 2019 18:03:43 -0400
X-Sender-Id: dreamhost|x-authsender|brandon@HIDDEN
Received: from relay.mailchannels.net (localhost [127.0.0.1])
 by relay.mailchannels.net (Postfix) with ESMTP id 3D6CF5E03E8;
 Wed, 24 Apr 2019 22:03:38 +0000 (UTC)
Received: from pdx1-sub0-mail-a45.g.dreamhost.com
 (100-96-7-81.trex.outbound.svc.cluster.local [100.96.7.81])
 (Authenticated sender: dreamhost)
 by relay.mailchannels.net (Postfix) with ESMTPA id 86CE05E2657;
 Wed, 24 Apr 2019 22:03:36 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|brandon@HIDDEN
Received: from pdx1-sub0-mail-a45.g.dreamhost.com ([TEMPUNAVAIL].
 [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384)
 by 0.0.0.0:2500 (trex/5.17.2); Wed, 24 Apr 2019 22:03:38 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|brandon@HIDDEN
X-MailChannels-Auth-Id: dreamhost
X-Arch-Skirt: 4ee87fce76f8ad25_1556143417885_2194403274
X-MC-Loop-Signature: 1556143417885:616993006
X-MC-Ingress-Time: 1556143417884
Received: from pdx1-sub0-mail-a45.g.dreamhost.com (localhost [127.0.0.1])
 by pdx1-sub0-mail-a45.g.dreamhost.com (Postfix) with ESMTP id DA2737F1FF;
 Wed, 24 Apr 2019 15:03:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=invergo.net; h=references
 :from:to:cc:subject:in-reply-to:date:message-id:mime-version
 :content-type:content-transfer-encoding; s=invergo.net; bh=kUlKW
 fv8rIPGV77OTMUOR+zrsKQ=; b=K53ZJPI064vOfjlwDDduBo4NkfN0oVS5zmCrw
 gZjAeD6Sd/1AUORRKONtWXX1xAXlMcpc0hjW5ljjG8wKRvBKC65ciVh1co37tgFr
 ALfFEszU7DKo0LC4D7EEbfYwcDgrBa8/ET/uN0oahR9vPl/bd5bYz3WCPAYDlHSf
 6TDWi4=
Received: from localhost (cpc88606-newt36-2-0-cust493.19-3.cable.virginm.net
 [86.6.93.238])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 (Authenticated sender: brandon@HIDDEN)
 by pdx1-sub0-mail-a45.g.dreamhost.com (Postfix) with ESMTPSA id DAF1F7F1F4;
 Wed, 24 Apr 2019 15:03:32 -0700 (PDT)
References: <87mukfsgtb.fsf@HIDDEN> <wsef5rwflb.fsf@HIDDEN>
 <jwvsgu7p5ui.fsf-monnier+emacs@HIDDEN>
User-agent: mu4e 1.2.0; emacs 26.2
X-DH-BACKEND: pdx1-sub0-mail-a45
From: Brandon Invergo <brandon@HIDDEN>
To: Stefan Monnier <monnier@HIDDEN>
Subject: Re: bug#35414: 26.2; ELPA packages signed with second, unknown key
In-reply-to: <jwvsgu7p5ui.fsf-monnier+emacs@HIDDEN>
Date: Wed, 24 Apr 2019 23:03:29 +0100
Message-ID: <875zr36oy6.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: -100
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeduuddrheefgddtgecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucggtfgfnhhsuhgsshgtrhhisggvpdfftffgtefojffquffvnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpehffgfhvffujgffkfggtgfgsehtqhertddtreejnecuhfhrohhmpeeurhgrnhguohhnucfknhhvvghrghhouceosghrrghnughonhesihhnvhgvrhhgohdrnhgvtheqnecuffhomhgrihhnpehgnhhurdhorhhgnecukfhppeekiedriedrleefrddvfeeknecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehlohgtrghlhhhoshhtpdhinhgvthepkeeirdeirdelfedrvdefkedprhgvthhurhhnqdhprghthhepuehrrghnughonhcukfhnvhgvrhhgohcuoegsrhgrnhguohhnsehinhhvvghrghhordhnvghtqedpmhgrihhlfhhrohhmpegsrhgrnhguohhnsehinhhvvghrghhordhnvghtpdhnrhgtphhtthhopeefheegudegseguvggssghughhsrdhgnhhurdhorhhgnecuvehluhhsthgvrhfuihiivgeptd
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 35414
Cc: 35414 <at> debbugs.gnu.org, Glenn Morris <rgm@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Stefan Monnier writes:

>> I assume (without checking) that this is related to the key from
>> http://lists.gnu.org/r/emacs-diffs/2019-04/msg00546.html
>
> Hmm... Indeed: this new keyring contains two keys (the old 2014 key
> which will expire in September and a new key to replace it).

I see.  Sorry, I only searched the bugs list but not the diffs list!

> Hmm... I just tried with Debian's Emacs-25.1 and with a new build from
> the `emacs-26` branch:
>
>     emacs -Q --eval '(setq package-check-signature t)
>     M-x package-list-packages RET
>     M-x package-refresh-contents RET
>
> and didn't get any error.

I suppose it's worth asking (but apologies if I misunderstand what's
happening under the hood): did you perform this test with an empty
keyring (or just with what's available in Debian's Emacs-25.1
installation)?  I suspect that you already have the new public key in
your keyring, so you wouldn't experience the problem.

> It's a brand new key that is now in etc/package-keyring.gpg in the
> `master` branch of Emacs, as well as in the `gnu-elpa-keyring-update`
> package in GNU ELPA.
>
> This is because the key 474F05837FBDEF9B is about to expire (it's
> really high time we start preparing for the new key).

OK, that should make things easy enough.  Of course, I hadn't seen that
package because I was unable to update my archives!

Unfortunately, installing the package (after temporarily disabling sig
verification) doesn't solve the problem for me.  Am I correct to assume
that the package should "just work" after installing (and restarting
Emacs)?  Just for fun I tried manually running gnu-elpa-keyring-update,
which resulted in this this:

Debugger entered--Lisp error: (error "Can=E2=80=99t find the keyring.gpg fi=
le with the new keys")
  signal(error ("Can=E2=80=99t find the keyring.gpg file with the new keys"=
))
  error("Can't find the keyring.gpg file with the new keys")
  gnu-elpa-keyring-update--keyring()
  gnu-elpa-keyring-update()
  eval((gnu-elpa-keyring-update) nil)
  eval-expression((gnu-elpa-keyring-update) nil nil 127)
  funcall-interactively(eval-expression (gnu-elpa-keyring-update) nil nil 1=
27)
  call-interactively(eval-expression nil nil)
  command-execute(eval-expression)

gnu-elpa-keyring-update--keyring has the value
"etc/gnu-elpa-keyring.gpg", which doesn't exist relative to any relevant
paths that I can think of.  The files in .emacs.d/elpa/gnupg haven't
been modified.

I looked at the ELPA git repo and saw that the keyring should be
distributed in the etc subdirectory of the package.  So I tried manually
downloading the keyring from elpa.gnu.org via wget, however I got a 404
error (trying different reasonable URLs).  I then manually downloaded it
from the ELPA git repository and put it in
.emacs.d/elpa/gnu-elpa-keyring-update-2019.0/etc et voila!  Success.

So, I guess the "bug" at this point is that it would appear that the
keyring isn't properly installed with the keyring-update package.  I
apologize for the original noise, since you obviously had already
considered and worked on a fix for the underlying problem.

Thanks for your help!

--
-brandon




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#35414; Package emacs. Full text available.

Message received at 35414 <at> debbugs.gnu.org:


Received: (at 35414) by debbugs.gnu.org; 24 Apr 2019 19:36:54 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Apr 24 15:36:54 2019
Received: from localhost ([127.0.0.1]:56543 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1hJNhO-00071K-5e
	for submit <at> debbugs.gnu.org; Wed, 24 Apr 2019 15:36:54 -0400
Received: from chene.dit.umontreal.ca ([132.204.246.20]:58195)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <monnier@HIDDEN>) id 1hJNhL-00071C-Ty
 for 35414 <at> debbugs.gnu.org; Wed, 24 Apr 2019 15:36:53 -0400
Received: from pastel.home (lechon.iro.umontreal.ca [132.204.27.242])
 by chene.dit.umontreal.ca (8.14.7/8.14.1) with ESMTP id x3OJaoQu008006;
 Wed, 24 Apr 2019 15:36:50 -0400
Received: by pastel.home (Postfix, from userid 20848)
 id 1A3D36AE07; Wed, 24 Apr 2019 15:36:50 -0400 (EDT)
From: Stefan Monnier <monnier@HIDDEN>
To: Glenn Morris <rgm@HIDDEN>
Subject: Re: bug#35414: 26.2; ELPA packages signed with second, unknown key
Message-ID: <jwvsgu7p5ui.fsf-monnier+emacs@HIDDEN>
References: <87mukfsgtb.fsf@HIDDEN> <wsef5rwflb.fsf@HIDDEN>
Date: Wed, 24 Apr 2019 15:36:50 -0400
In-Reply-To: <wsef5rwflb.fsf@HIDDEN> (Glenn Morris's message of
 "Wed, 24 Apr 2019 12:08:48 -0400")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.50 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level: 
X-NAI-Spam-Threshold: 5
X-NAI-Spam-Score: 0.1
X-NAI-Spam-Rules: 3 Rules triggered
	TRK_NCM1=0.1, EDT_SA_DN_PASS=0, RV6532=0
X-NAI-Spam-Version: 2.3.0.9418 : core <6532> : inlines <7059> : streams
 <1819617> : uri <2836612>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 35414
Cc: 35414 <at> debbugs.gnu.org, Brandon Invergo <brandon@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> I assume (without checking) that this is related to the key from
> http://lists.gnu.org/r/emacs-diffs/2019-04/msg00546.html

Hmm... Indeed: this new keyring contains two keys (the old 2014 key
which will expire in September and a new key to replace it).

>> When I execute package-refresh-contents or when I try to install a
>> package from ELPA, it fails with the following error:
>>
>>     Failed to verify signature archive-contents.sig:
>>     No public key for 066DAFCB81E42C40 created at 2019-04-24T10:15:06+0100 using RSA
>>     Good signature from 474F05837FBDEF9B GNU ELPA Signing Agent <elpasign@HIDDEN> (trust undefined) created at 2019-04-24T10:15:06+0100 using DSA
>>     Command output:
>>     gpg: Signature made Wed 24 Apr 2019 10:15:06 AM BST
>>     gpg:                using DSA key CA442C00F91774F17F59D9B0474F05837FBDEF9B
>>     gpg: Good signature from "GNU ELPA Signing Agent <elpasign@HIDDEN>" [unknown]
>>     gpg: WARNING: This key is not certified with a trusted signature!
>>     gpg:          There is no indication that the signature belongs to the owner.
>>     Primary key fingerprint: CA44 2C00 F917 74F1 7F59  D9B0 474F 0583 7FBD EF9B
>>     gpg: Signature made Wed 24 Apr 2019 10:15:06 AM BST
>>     gpg:                using RSA key C433554766D3DDC64221BFAA066DAFCB81E42C40
>>     gpg: Can't check signature: No public key

Hmm... I just tried with Debian's Emacs-25.1 and with a new build from
the `emacs-26` branch:

    emacs -Q --eval '(setq package-check-signature t)
    M-x package-list-packages RET
    M-x package-refresh-contents RET

and didn't get any error.

>> So, the signature by GNU ELPA Signing Agent (the key in
>> etc/package-keyring.gpg) is fine.  However, there is a second key
>> involved, for which the public key 066DAFCB81E42C40 is unavailable from
>> any public keyserver that I have tried.

It's a brand new key that is now in etc/package-keyring.gpg in the
`master` branch of Emacs, as well as in the `gnu-elpa-keyring-update`
package in GNU ELPA.

This is because the key 474F05837FBDEF9B is about to expire (it's
really high time we start preparing for the new key).

>> Needless to say, it's not available in etc/package-keyring.gpg
>> either.  Since I do not have the public key, the signature
>> verification fails.

Yes, it's normal that the second signature can't be verified until you
install the new key, but that shouldn't cause an error in
package-install or package-refresh-contents.  At least that's what my
tests lead me to believe.


        Stefan




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#35414; Package emacs. Full text available.

Message received at 35414 <at> debbugs.gnu.org:


Received: (at 35414) by debbugs.gnu.org; 24 Apr 2019 16:09:10 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Apr 24 12:09:10 2019
Received: from localhost ([127.0.0.1]:56292 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1hJKSM-0006GZ-4X
	for submit <at> debbugs.gnu.org; Wed, 24 Apr 2019 12:09:10 -0400
Received: from eggs.gnu.org ([209.51.188.92]:52224)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <rgm@HIDDEN>) id 1hJKSK-0006GM-KO
 for 35414 <at> debbugs.gnu.org; Wed, 24 Apr 2019 12:09:08 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e]:59917)
 by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <rgm@HIDDEN>)
 id 1hJKS7-0000je-W4; Wed, 24 Apr 2019 12:08:58 -0400
Received: from rgm by fencepost.gnu.org with local (Exim 4.82)
 (envelope-from <rgm@HIDDEN>)
 id 1hJKS1-0004Rt-Ah; Wed, 24 Apr 2019 12:08:50 -0400
From: Glenn Morris <rgm@HIDDEN>
To: Brandon Invergo <brandon@HIDDEN>
Subject: Re: bug#35414: 26.2; ELPA packages signed with second, unknown key
References: <87mukfsgtb.fsf@HIDDEN>
Date: Wed, 24 Apr 2019 12:08:48 -0400
In-Reply-To: <87mukfsgtb.fsf@HIDDEN> (Brandon Invergo's message of "Wed, 
 24 Apr 2019 13:56:00 +0100")
Message-ID: <wsef5rwflb.fsf@HIDDEN>
User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/)
MIME-Version: 1.0
Content-Type: text/plain
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 35414
Cc: 35414 <at> debbugs.gnu.org, Stefan Monnier <monnier@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)


Please forgive the top-posting.

I assume (without checking) that this is related to the key from
http://lists.gnu.org/r/emacs-diffs/2019-04/msg00546.html


Brandon Invergo wrote:

> I enabled package.el's signature-checking feature last night (variable
> package-check-signature; Emacs 26.2).  I have imported the keyring at
> etc/package-keyring.gpg, which contains one key:
>
> pub   dsa2048 2014-09-24 [SC] [expires: 2019-09-23]
>       CA442C00F91774F17F59D9B0474F05837FBDEF9B
> uid           [ unknown] GNU ELPA Signing Agent <elpasign@HIDDEN>
>
> GNU ELPA is the only repository that has been enabled
> (https://elpa.gnu.org/packages).
>
> When I execute package-refresh-contents or when I try to install a
> package from ELPA, it fails with the following error:
>
>     Failed to verify signature archive-contents.sig:
>     No public key for 066DAFCB81E42C40 created at 2019-04-24T10:15:06+0100 using RSA
>     Good signature from 474F05837FBDEF9B GNU ELPA Signing Agent <elpasign@HIDDEN> (trust undefined) created at 2019-04-24T10:15:06+0100 using DSA
>     Command output:
>     gpg: Signature made Wed 24 Apr 2019 10:15:06 AM BST
>     gpg:                using DSA key CA442C00F91774F17F59D9B0474F05837FBDEF9B
>     gpg: Good signature from "GNU ELPA Signing Agent <elpasign@HIDDEN>" [unknown]
>     gpg: WARNING: This key is not certified with a trusted signature!
>     gpg:          There is no indication that the signature belongs to the owner.
>     Primary key fingerprint: CA44 2C00 F917 74F1 7F59  D9B0 474F 0583 7FBD EF9B
>     gpg: Signature made Wed 24 Apr 2019 10:15:06 AM BST
>     gpg:                using RSA key C433554766D3DDC64221BFAA066DAFCB81E42C40
>     gpg: Can't check signature: No public key
>
> So, the signature by GNU ELPA Signing Agent (the key in
> etc/package-keyring.gpg) is fine.  However, there is a second key
> involved, for which the public key 066DAFCB81E42C40 is unavailable from
> any public keyserver that I have tried.  Needless to say, it's not
> available in etc/package-keyring.gpg either.  Since I do not have the
> public key, the signature verification fails.
>
> Just to be sure, I've also done it on a fresh installation-from-source
> with an init.el that is empty apart from setting up package.el.  Same
> results.
>
> I have tried this from outside Emacs, by doing, for example:
>
>     wget https://elpa.gnu.org/packages/delight-1.5.el{,.sig}
>     gpg2 --verify delight-1.5.el.sig
>
> This, of course, gives the same result as doing it from within Emacs.  I
> mention it here to demonstrate that the problem is not in Emacs, from
> what I can tell, but it is strictly due to this second, unknown key
> signature.
>
> For the extra paranoid, I've tried this on three different systems
> residing on three different networks in two different countries.  I'm
> pretty sure the problem is on the ELPA server and is a result of the
> standard signing process.  However, we can't 100% rule out user
> incompetence yet (my own, that is), so I am open to suggestions of what
> else I might try to pin down the source of the problem.
>
> Is the public key 066DAFCB81E42C40 available anywhere?  Or have I set up
> something else incorrectly in the verification process?  Or is this
> second signature there erroneously?




Information forwarded to bug-gnu-emacs@HIDDEN:
bug#35414; Package emacs. Full text available.
Added tag(s) security. Request was from Glenn Morris <rgm@HIDDEN> to control <at> debbugs.gnu.org. Full text available.
Severity set to 'important' from 'normal' Request was from Glenn Morris <rgm@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 24 Apr 2019 12:56:19 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Apr 24 08:56:19 2019
Received: from localhost ([127.0.0.1]:55287 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1hJHRi-0001K2-K2
	for submit <at> debbugs.gnu.org; Wed, 24 Apr 2019 08:56:19 -0400
Received: from eggs.gnu.org ([209.51.188.92]:60877)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <brandon@HIDDEN>) id 1hJHRh-0001Jr-CB
 for submit <at> debbugs.gnu.org; Wed, 24 Apr 2019 08:56:17 -0400
Received: from lists.gnu.org ([209.51.188.17]:37228)
 by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <brandon@HIDDEN>) id 1hJHRb-0004i5-LD
 for submit <at> debbugs.gnu.org; Wed, 24 Apr 2019 08:56:12 -0400
Received: from eggs.gnu.org ([209.51.188.92]:47015)
 by lists.gnu.org with esmtp (Exim 4.71)
 (envelope-from <brandon@HIDDEN>) id 1hJHRa-0001ql-6K
 for bug-gnu-emacs@HIDDEN; Wed, 24 Apr 2019 08:56:11 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.8 required=5.0 tests=BAYES_50,RCVD_IN_DNSWL_NONE,
 URIBL_BLOCKED autolearn=disabled version=3.3.2
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
 (envelope-from <brandon@HIDDEN>) id 1hJHRY-0004eL-Kc
 for bug-gnu-emacs@HIDDEN; Wed, 24 Apr 2019 08:56:10 -0400
Received: from ostrich.birch.relay.mailchannels.net ([23.83.209.138]:37176)
 by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
 (Exim 4.71) (envelope-from <brandon@HIDDEN>) id 1hJHRX-0004by-Vh
 for bug-gnu-emacs@HIDDEN; Wed, 24 Apr 2019 08:56:08 -0400
X-Sender-Id: dreamhost|x-authsender|brandon@HIDDEN
Received: from relay.mailchannels.net (localhost [127.0.0.1])
 by relay.mailchannels.net (Postfix) with ESMTP id B6A165C50DE
 for <bug-gnu-emacs@HIDDEN>; Wed, 24 Apr 2019 12:56:03 +0000 (UTC)
Received: from pdx1-sub0-mail-a88.g.dreamhost.com (unknown [100.96.28.64])
 (Authenticated sender: dreamhost)
 by relay.mailchannels.net (Postfix) with ESMTPA id 4964B5C4EED
 for <bug-gnu-emacs@HIDDEN>; Wed, 24 Apr 2019 12:56:03 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|brandon@HIDDEN
Received: from pdx1-sub0-mail-a88.g.dreamhost.com (pop.dreamhost.com
 [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384)
 by 0.0.0.0:2500 (trex/5.17.2); Wed, 24 Apr 2019 12:56:03 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|brandon@HIDDEN
X-MailChannels-Auth-Id: dreamhost
X-Daffy-Soft: 1ca46dc44f65af17_1556110563465_3263503172
X-MC-Loop-Signature: 1556110563464:3744401586
X-MC-Ingress-Time: 1556110563464
Received: from pdx1-sub0-mail-a88.g.dreamhost.com (localhost [127.0.0.1])
 by pdx1-sub0-mail-a88.g.dreamhost.com (Postfix) with ESMTP id DD7E98089C
 for <bug-gnu-emacs@HIDDEN>; Wed, 24 Apr 2019 05:56:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=invergo.net; h=from:to
 :subject:date:message-id:mime-version:content-type; s=
 invergo.net; bh=Tb0HELWZRIAg6gxsALKhUuBR9g4=; b=W6JeiKyssZ+U4tnZ
 GVdjb8EPPXKUwv1jmERg7EomnXQ4S9qjRbCQDasTfwvErmNLBnr7VdN8I5Lq1tIF
 MST07ZWukRPYnz2PtvauDEJIIcdNmNfSjTHnNj3f/Stwv8WDqSeG1laLPSTci0Df
 JVcrPo+BkdQ2yhceu2qwSt/0Ubk=
Received: from localhost (unknown [144.173.111.69])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 (Authenticated sender: brandon@HIDDEN)
 by pdx1-sub0-mail-a88.g.dreamhost.com (Postfix) with ESMTPSA id 7433C808A1
 for <bug-gnu-emacs@HIDDEN>; Wed, 24 Apr 2019 05:56:02 -0700 (PDT)
User-agent: mu4e 1.2.0; emacs 26.2
X-DH-BACKEND: pdx1-sub0-mail-a88
From: Brandon Invergo <brandon@HIDDEN>
To: bug-gnu-emacs@HIDDEN
Subject: 26.2; ELPA packages signed with second, unknown key
Date: Wed, 24 Apr 2019 13:56:00 +0100
Message-ID: <87mukfsgtb.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: 0
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeduuddrhedtgdehkecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucggtfgfnhhsuhgsshgtrhhisggvpdfftffgtefojffquffvnecuuegrihhlohhuthemuceftddtnecunecujfgurhepfgfhvffufffkgggtsehttdertddtredtnecuhfhrohhmpeeurhgrnhguohhnucfknhhvvghrghhouceosghrrghnughonhesihhnvhgvrhhgohdrnhgvtheqnecuffhomhgrihhnpehgnhhurdhorhhgnecukfhppedugeegrddujeefrdduuddurdeileenucfrrghrrghmpehmohguvgepshhmthhppdhhvghloheplhhotggrlhhhohhsthdpihhnvghtpedugeegrddujeefrdduuddurdeiledprhgvthhurhhnqdhprghthhepuehrrghnughonhcukfhnvhgvrhhgohcuoegsrhgrnhguohhnsehinhhvvghrghhordhnvghtqedpmhgrihhlfhhrohhmpegsrhgrnhguohhnsehinhhvvghrghhordhnvghtpdhnrhgtphhtthhopegsuhhgqdhgnhhuqdgvmhgrtghssehgnhhurdhorhhgnecuvehluhhsthgvrhfuihiivgeptd
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 23.83.209.138
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hello,

I enabled package.el's signature-checking feature last night (variable
package-check-signature; Emacs 26.2).  I have imported the keyring at
etc/package-keyring.gpg, which contains one key:

pub   dsa2048 2014-09-24 [SC] [expires: 2019-09-23]
      CA442C00F91774F17F59D9B0474F05837FBDEF9B
uid           [ unknown] GNU ELPA Signing Agent <elpasign@HIDDEN>

GNU ELPA is the only repository that has been enabled
(https://elpa.gnu.org/packages).

When I execute package-refresh-contents or when I try to install a
package from ELPA, it fails with the following error:

    Failed to verify signature archive-contents.sig:
    No public key for 066DAFCB81E42C40 created at 2019-04-24T10:15:06+0100 using RSA
    Good signature from 474F05837FBDEF9B GNU ELPA Signing Agent <elpasign@HIDDEN> (trust undefined) created at 2019-04-24T10:15:06+0100 using DSA
    Command output:
    gpg: Signature made Wed 24 Apr 2019 10:15:06 AM BST
    gpg:                using DSA key CA442C00F91774F17F59D9B0474F05837FBDEF9B
    gpg: Good signature from "GNU ELPA Signing Agent <elpasign@HIDDEN>" [unknown]
    gpg: WARNING: This key is not certified with a trusted signature!
    gpg:          There is no indication that the signature belongs to the owner.
    Primary key fingerprint: CA44 2C00 F917 74F1 7F59  D9B0 474F 0583 7FBD EF9B
    gpg: Signature made Wed 24 Apr 2019 10:15:06 AM BST
    gpg:                using RSA key C433554766D3DDC64221BFAA066DAFCB81E42C40
    gpg: Can't check signature: No public key

So, the signature by GNU ELPA Signing Agent (the key in
etc/package-keyring.gpg) is fine.  However, there is a second key
involved, for which the public key 066DAFCB81E42C40 is unavailable from
any public keyserver that I have tried.  Needless to say, it's not
available in etc/package-keyring.gpg either.  Since I do not have the
public key, the signature verification fails.

Just to be sure, I've also done it on a fresh installation-from-source
with an init.el that is empty apart from setting up package.el.  Same
results.

I have tried this from outside Emacs, by doing, for example:

    wget https://elpa.gnu.org/packages/delight-1.5.el{,.sig}
    gpg2 --verify delight-1.5.el.sig

This, of course, gives the same result as doing it from within Emacs.  I
mention it here to demonstrate that the problem is not in Emacs, from
what I can tell, but it is strictly due to this second, unknown key
signature.

For the extra paranoid, I've tried this on three different systems
residing on three different networks in two different countries.  I'm
pretty sure the problem is on the ELPA server and is a result of the
standard signing process.  However, we can't 100% rule out user
incompetence yet (my own, that is), so I am open to suggestions of what
else I might try to pin down the source of the problem.

Is the public key 066DAFCB81E42C40 available anywhere?  Or have I set up
something else incorrectly in the verification process?  Or is this
second signature there erroneously?

Thanks!

--
-brandon




Acknowledgement sent to Brandon Invergo <brandon@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-gnu-emacs@HIDDEN. Full text available.
Report forwarded to bug-gnu-emacs@HIDDEN:
bug#35414; Package emacs. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Mon, 30 Sep 2019 22:15:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.