Package: emacs25-common Version: 25.1+1-4+deb9u1 Severity: normal File: /usr/share/emacs/25.1/etc/package-keyring.gpg
Dear Maintainer (Rob Browning?), This problem in emacs 25 (in Debian old-stable) is the same as the problem that was fixed in Debian current stable (buster) emacs 26 with this changelog message: https://metadata.ftp-master.debian.org/changelogs//main/e/emacs/emacs_26.1+1-3.2+deb10u1_changelog [START-QUOTATON] emacs (1:26.1+1-3.2+deb10u1) buster; urgency=high * Update the EPLA packaging key (previous key expires 2019-09-23) via the upstream commit f16785d361097df9fddfcc0b60ae6f0d92e7e911. Add the old and new keyrings to debian/ and debian/source/include-binaries since debian/patches/ can't handle git binary diffs. Thanks to Stefan Monnier for reporting the problem and providing the patch. -- Rob Browning <r...@defaultvalue.org> Wed, 04 Sep 2019 21:35:24 -0500 [END-QUOTATION] File package-keyring.gpg holds the public key that emacs uses to verify packages from the gnu emacs lisp package archive (ELPA) to be used by emacs: see http://elpa.gnu.org That key expired on 2019-09-23. The gnu emacs package archive maintainer has created a new key and used it to sign the package archive. Adding the new key to the package-keyring.gpg fixes the problem. (I've done that manually on one of the machines I use.) Upstream GNU emacs added the new public key in maintenance release 26.3 (released almost a month before the old key expired). http://www.gnu.org/software/emacs/ * Symptoms at present are: ** Cannot fetch/update the list of available packages Running the "list-packages" command in emacs causes in the following messages (visible in the *Messages" buffer): Importing package-keyring.gpg...done error in process filter: package--check-signature-content: Failed to verify signature: "archive-contents.sig" error in process filter: Failed to verify signature: "archive-contents.sig" Likewise, the "package-refresh-contents" command causes Importing package-keyring.gpg...done Contacting host: elpa.gnu.org:80 [2 times] Failed to download ‘gnu’ archive. ** Cannot install packages from the gnu archive E.g. Failed to verify signature ace-window-0.9.0.el.sig: No public key for 066DAFCB81E42C40 created at 2019-09-21T18:55:08+0100 using RSA Command output: gpg: Signature made Sat 21 Sep 2019 18:55:08 BST gpg: using RSA key C433554766D3DDC64221BFAA066DAFCB81E42C40 gpg: Can't check signature: No public key * More diagnostic details I've checked the Debian package details, changelog, and bug tracker; I see that this hasn't been fixed and there's no existing bug. Examining the contents of the keyring (on Ubuntu 18.04 LTS which inherits the file from Debian) shows the expired key: gpg --list-keys -v --no-default-keyring --keyring \ /usr/share/emacs/25.2/etc/package-keyring.gpg gpg: using pgp trust model /usr/share/emacs/25.2/etc/package-keyring.gpg --------------------------------------------- pub dsa2048 2014-09-24 [SC] [expired: 2019-09-23] CA442C00F91774F17F59D9B0474F05837FBDEF9B uid [ expired] GNU ELPA Signing Agent <elpas...@elpa.gnu.org> -- System Information: Debian Release: buster/sid APT prefers bionic-updates APT policy: (500, 'bionic-updates'), (500, 'bionic-security'), (500, 'bionic'), (100, 'bionic-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.15.0-72-generic (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages emacs25-common depends on: ii emacsen-common 2.0.8 ii install-info 6.5.0.dfsg.1-2 Versions of packages emacs25-common recommends: ii emacs25-el 25.2+1-6 Versions of packages emacs25-common suggests: ii emacs25-common-non-dfsg 25.2+1-1 pn ncurses-term <none> -- no debconf information