Re: Bug: unsigned file `archive-contents' on orgmode.org [9.4 (9.4-19-gb1de0c-elpa @ /home/data1/protected/.emacs.d/elpa/org-20201019/)]

[Jean Louis]

* Bastien  [2020-11-05 22:59]:
> Thanks a lot, that's very useful.
> 
> Something I'm not sure: shall we sign only the "archive-contents" file
> or both "archive-contents" and "org-MMDD.tar"?
> 
> For the public key of Org ELPA, where would you expect to download it
> from? https://orgmode.org/elpa/key.asc or https://pgp.mit.edu or both?

Also packages shall be signed. So it is in GNU ELPA.

As Org mode is part of Emacs, and you as maintainer signing it, I
would personally expect it to be in ~/.emacs.d/elpa/gnupg where there
is other key from GNU ELPA. But what is best you maybe coordinate with
GNU ELPA maintainers. I think your key should be there in central GNU
ELPA and with that key it should be possible to verify orgmode.org
ELPA as well.

Re: Bug: unsigned file `archive-contents' on orgmode.org [9.4 (9.4-19-gb1de0c-elpa @ /home/data1/protected/.emacs.d/elpa/org-20201019/)]

[Bastien]

Thanks a lot, that's very useful.

Something I'm not sure: shall we sign only the "archive-contents" file
or both "archive-contents" and "org-MMDD.tar"?

For the public key of Org ELPA, where would you expect to download it
from? https://orgmode.org/elpa/key.asc or https://pgp.mit.edu or both?

-- 
 Bastien

Re: Bug: unsigned file `archive-contents' on orgmode.org [9.4 (9.4-19-gb1de0c-elpa @ /home/data1/protected/.emacs.d/elpa/org-20201019/)]

[Jean Louis]

* Bastien  [2020-11-05 20:19]:
> Hi Jean Louis,
> 
> Jean Louis  writes:
> 
> > GNU ELPA provides signed archive-contents. Org should provide it too,
> > isn't it?
> 
> can you let us know what are the steps involved in signing
> the archive-contents file?

This I find out as I have the variable `package-check-signature'
turned on. Majority who are getting Emacs with value `allow-unsigned'
will not even see that.

Documentation:
Non-nil means to check package signatures when installing.
More specifically the value can be:
- nil: package signatures are ignored.
- `allow-unsigned': install a package even if it is unsigned, but
  if it is signed, we have the key for it, and OpenGPG is
  installed, verify the signature.
- t: accept a package only if it comes with at least one verified signature.
- `all': same as t, except when the package has several signatures,
  in which case we verify all the signatures.


You may probably automate it. It is in the Emacs Lisp manual:

41.4 Creating and Maintaining Package Archives
==

   One way to increase the security of your packages is to “sign” them
using a cryptographic key.  If you have generated a private/public gpg
key pair, you can use gpg to sign the package like this:

 gpg -ba -o FILE.sig FILE

For a single-file package, FILE is the package Lisp file; for a
multi-file package, it is the package tar file.  You can also sign the
archive’s contents file in the same way.  Make the ‘.sig’ files
available in the same location as the packages.  You should also make
your public key available for people to download; e.g., by uploading it
to a key server such as .  When people install
packages from your archive, they can use your public key to verify the
signatures.

   A full explanation of these matters is outside the scope of this
manual.  For more information on cryptographic keys and signing, *note
GnuPG: (gnupg)Top.  Emacs comes with an interface to GNU Privacy Guard,
*note EasyPG: (epa)Top.

Re: Bug: unsigned file `archive-contents' on orgmode.org [9.4 (9.4-19-gb1de0c-elpa @ /home/data1/protected/.emacs.d/elpa/org-20201019/)]

[Bastien]

Hi Jean Louis,

Jean Louis  writes:

> GNU ELPA provides signed archive-contents. Org should provide it too,
> isn't it?

can you let us know what are the steps involved in signing
the archive-contents file?

Thanks,

-- 
 Bastien

Bug: unsigned file `archive-contents' on orgmode.org [9.4 (9.4-19-gb1de0c-elpa @ /home/data1/protected/.emacs.d/elpa/org-20201019/)]

[Jean Louis]

Remember to cover the basics, that is, what you expected to happen and
what in fact did happen.  You don't know how to make a good report?  See

 https://orgmode.org/manual/Feedback.html#Feedback

Your bug report will be posted to the Org mailing list.


GNU ELPA provides signed archive-contents. Org should provide it too,
isn't it?

Debugger entered--Lisp error: (error "Unsigned file ‘archive-contents’ at 
https://orgmod...;)
  signal(error ("Unsigned file ‘archive-contents’ at https://orgmod...;))
  error("Unsigned file `%s' at %s" "archive-contents" 
"https://orgmode.org/elpa/;)
  #f(compiled-function () #)()
  package--with-response-buffer-1("https://orgmode.org/elpa/; 
#f(compiled-function () #) :file 
"archive-contents.sig" :async nil :error-function #f(compiled-function () 
#) :noerror t)
  package--check-signature("https://orgmode.org/elpa/; "archive-contents" "(1 
(org  . [(20201102) ( ) \"Outline-ba..." nil #f(compiled-function 
( good-sigs) #) #f(compiled-function () 
#))
  #f(compiled-function () #)()
  package--with-response-buffer-1("https://orgmode.org/elpa/; 
#f(compiled-function () #) :file 
"archive-contents" :async nil :error-function #f(compiled-function () 
#) :noerror nil)
  package--download-one-archive(("org" . "https://orgmode.org/elpa/;) 
"archive-contents" nil)
  package--download-and-read-archives(nil)
  package-refresh-contents()
  funcall-interactively(package-refresh-contents)
  call-interactively(package-refresh-contents record nil)
  command-execute(package-refresh-contents record)
  execute-extended-command(nil "package-refresh-contents" nil)
  funcall-interactively(execute-extended-command nil "package-refresh-contents" 
nil)
  call-interactively(execute-extended-command nil nil)
  command-execute(execute-extended-command)


Emacs  : GNU Emacs 28.0.50 (build 25, x86_64-pc-linux-gnu, X toolkit, cairo 
version 1.14.8, Xaw3d scroll bars)
 of 2020-11-01
Package: Org mode version 9.4 (9.4-19-gb1de0c-elpa @ 
/home/data1/protected/.emacs.d/elpa/org-20201019/)

-- 
Thanks,
Jean Louis
⎔ λ  퍄 팡 팚