Re: Whose keys go on elpa/gnupg/pubring.gpg?

emacs-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Whose keys go on elpa/gnupg/pubring.gpg?

From:	Stefan Monnier
Subject:	Re: Whose keys go on elpa/gnupg/pubring.gpg?
Date:	Thu, 08 Jan 2015 09:20:21 -0500
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux)

>>> In that case, where do individual package maintainers' keys go?
>> Nowhere: the signatures only certify that this is the file that was
>> created on elpa.gnu.org.
> That's only the case if elpa.gnu.org is the only repository whose key is on
> the keyring, since package-refresh-contents trusts any repository's key on
> the keyring to sign any other repository's archive-contents file. Again,
> technically not a vulnerability, but still not good.

That's right, except for one nitpick: the signatures themselves do
certify that this file was created on elpa.gnu.org.
It's only the package.el signature-checking which doesn't bother to
check that the signature is made with the repository's corresponding key.


        Stefan

[Prev in Thread]

Current Thread

[Next in Thread]

Whose keys go on elpa/gnupg/pubring.gpg?, Kelly Dean, 2015/01/07
- Re: Whose keys go on elpa/gnupg/pubring.gpg?, Stefan Monnier, 2015/01/08
  - Re: Whose keys go on elpa/gnupg/pubring.gpg?, Kelly Dean, 2015/01/08
    - Re: Whose keys go on elpa/gnupg/pubring.gpg?, Stefan Monnier <=

Prev by Date: Re: Emacs contributions, C and Lisp
Next by Date: Re: Emacs contributions, C and Lisp
Previous by thread: Re: Whose keys go on elpa/gnupg/pubring.gpg?
Next by thread: What's Elpa? (I.e. what did you decide the name refers to?)
Index(es):
- Date
- Thread