Package: emacs25-common
Version: 25.1+1-4+deb9u1
Severity: normal
File: /usr/share/emacs/25.1/etc/package-keyring.gpg
Dear Maintainer (Rob Browning?),
This problem in emacs 25 (in Debian old-stable) is the same as the
problem that was fixed in Debian current stable (buster) emacs 26
with this changelog message:
https://metadata.ftp-master.debian.org/changelogs//main/e/emacs/emacs_26.1+1-3.2+deb10u1_changelog
[START-QUOTATON]
emacs (1:26.1+1-3.2+deb10u1) buster; urgency=high
* Update the EPLA packaging key (previous key expires 2019-09-23) via
the upstream commit f16785d361097df9fddfcc0b60ae6f0d92e7e911. Add the
old and new keyrings to debian/ and debian/source/include-binaries
since debian/patches/ can't handle git binary diffs. Thanks to Stefan
Monnier for reporting the problem and providing the patch.
-- Rob Browning Wed, 04 Sep 2019 21:35:24 -0500
[END-QUOTATION]
File package-keyring.gpg holds the public key that emacs uses to
verify packages from the gnu emacs lisp package archive (ELPA) to be
used by emacs: see http://elpa.gnu.org
That key expired on 2019-09-23.
The gnu emacs package archive maintainer has created a new key and
used it to sign the package archive.
Adding the new key to the package-keyring.gpg fixes the problem.
(I've done that manually on one of the machines I use.)
Upstream GNU emacs added the new public key in maintenance release
26.3 (released almost a month before the old key expired).
http://www.gnu.org/software/emacs/
* Symptoms at present are:
** Cannot fetch/update the list of available packages
Running the "list-packages" command in emacs causes in the
following messages (visible in the *Messages" buffer):
Importing package-keyring.gpg...done
error in process filter: package--check-signature-content: Failed to
verify signature: "archive-contents.sig"
error in process filter: Failed to verify signature: "archive-contents.sig"
Likewise, the "package-refresh-contents" command causes
Importing package-keyring.gpg...done
Contacting host: elpa.gnu.org:80 [2 times]
Failed to download ‘gnu’ archive.
** Cannot install packages from the gnu archive
E.g.
Failed to verify signature ace-window-0.9.0.el.sig:
No public key for 066DAFCB81E42C40 created at 2019-09-21T18:55:08+0100 using RSA
Command output:
gpg: Signature made Sat 21 Sep 2019 18:55:08 BST
gpg:using RSA key C433554766D3DDC64221BFAA066DAFCB81E42C40
gpg: Can't check signature: No public key
* More diagnostic details
I've checked the Debian package details, changelog, and bug tracker;
I see that this hasn't been fixed and there's no existing bug.
Examining the contents of the keyring (on Ubuntu 18.04 LTS which
inherits the file from Debian) shows the expired key:
gpg --list-keys -v --no-default-keyring --keyring \
/usr/share/emacs/25.2/etc/package-keyring.gpg
gpg: using pgp trust model
/usr/share/emacs/25.2/etc/package-keyring.gpg
-
pub dsa2048 2014-09-24 [SC] [expired: 2019-09-23]
CA442C00F91774F17F59D9B0474F05837FBDEF9B
uid [ expired] GNU ELPA Signing Agent
-- System Information:
Debian Release: buster/sid
APT prefers bionic-updates
APT policy: (500, 'bionic-updates'), (500, 'bionic-security'), (500,
'bionic'), (100, 'bionic-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.15.0-72-generic (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages emacs25-common depends on:
ii emacsen-common 2.0.8
ii install-info6.5.0.dfsg.1-2
Versions of packages emacs25-common recommends:
ii emacs25-el 25.2+1-6
Versions of packages emacs25-common suggests:
ii emacs25-common-non-dfsg 25.2+1-1
pn ncurses-term
-- no debconf information
