Some documentation for signing of packages

* doc/emacs/package.texi (Package Menu, Package Installation): Mention signed packages. * doc/lispref/package.texi (Package Archives): Mention signing packages. * lisp/emacs-lisp/package.el (package-check-signature) (package-unsigned-archives): Doc fixes. * etc/NEWS: Related edits.
author: Glenn Morris 2014-06-04 23:15:44 -0700
committer: Glenn Morris 2014-06-04 23:15:44 -0700
commit: e1b3f35f9373d71f58638e9dcaffc2ff8c4ab3b6 (patch)
tree: e09363a815ba1488ca47c29aa9e7676b0a43ae5d
parent: a56ae34d229242a065fc87d75d80d07ab14641fe (diff)
download: emacs-e1b3f35f9373d71f58638e9dcaffc2ff8c4ab3b6.tar.gz
emacs-e1b3f35f9373d71f58638e9dcaffc2ff8c4ab3b6.zip
7 files changed, 108 insertions, 7 deletions
diff --git a/doc/emacs/ChangeLog b/doc/emacs/ChangeLog
index 27168b00021..6ca98a3f24b 100644
--- a/doc/emacs/ChangeLog
+++ b/doc/emacs/ChangeLog
@@ -1,3 +1,8 @@
+2014-06-05  Glenn Morris  <rgm@gnu.org>
+        * package.texi (Package Menu, Package Installation):
+        Mention signed packages.
 2014-06-03  Glenn Morris  <rgm@gnu.org>
        * package.texi (Package Installation): Mention package-pinned-packages.
diff --git a/doc/emacs/package.texi b/doc/emacs/package.texi
index 98e3c8ac706..9b7f541ac51 100644
--- a/doc/emacs/package.texi
+++ b/doc/emacs/package.texi
@@ -59,8 +59,9 @@ The package's version number (e.g., @samp{11.86}).
 @item
 The package's status---normally one of @samp{available} (can be
-downloaded from the package archive), @samp{installed}, or
+downloaded from the package archive), @samp{installed},
-@samp{built-in} (included in Emacs by default).
+@samp{unsigned} (installed, but not signed; @pxref{Package Signing}),
+or @samp{built-in} (included in Emacs by default).
 The status can also be @samp{new}.  This is equivalent to
 @samp{available}, except that it means the package became newly
@@ -167,6 +168,41 @@ directory name of the package archive.  You can alter this list if you
 wish to use third party package archives---but do so at your own risk,
 and use only third parties that you think you can trust!
+@anchor{Package Signing}
+@cindex package security
+@cindex package signing
+  The maintainers of package archives can increase the trust that you
+can have in their packages by @dfn{signing} them.  They generate a
+private/public pair of crytopgraphic keys, and use the private key to
+create a @dfn{signature file} for each package.  With the public key, you
+can use the signature files to verify who created the package, and
+that it has not been modified.  A valid signature is not a cast-iron
+guarantee that a package is not malicious, so you should still
+exercise caution.  Package archives should provide instructions
+on how you can obtain their public key.  One way is to download the
+key from a server such as @url{http://pgp.mit.edu/}.
+Use @kbd{M-x package-import-keyring} to import the key into Emacs.
+Emacs stores package keys in the @file{gnupg} subdirectory
+of @code{package-user-dir}.
+@c Uncomment this if it becomes true.
+@ignore
+The public key for the GNU package archive is distributed with Emacs,
+in the @file{etc/package-keyring.gpg}.  Emacs uses it automatically.
+@end ignore
+@vindex package-check-signature
+@vindex package-unsigned-archives
+  If the user option @code{package-check-signature} is non-@code{nil},
+Emacs attempts to verify signatures when you install packages.  If the
+option has the value @code{allow-unsigned}, you can still install a
+package that is not signed.  If you use some archives that do not sign
+their packages, you can add them to the list @code{package-unsigned-archives}.
+  For more information on crytopgraphic keys and signing,
+@pxref{Top,, Top, gnupg, The GNU Privacy Guard Manual}.
+Emacs comes with an interface to GNU Privacy Guard,
+@pxref{Top,, EasyPG, epa, Emacs EasyPG Assistant Manual}.
 @vindex package-pinned-packages
  If you have more than one package archive enabled, and some of them
 offer different versions of the same package, you may find the option
diff --git a/doc/lispref/ChangeLog b/doc/lispref/ChangeLog
index e4f5c60c2d1..51f74f2eb12 100644
--- a/doc/lispref/ChangeLog
+++ b/doc/lispref/ChangeLog
@@ -1,3 +1,7 @@
+2014-06-05  Glenn Morris  <rgm@gnu.org>
+        * package.texi (Package Archives): Mention signing packages.
 2014-05-27  Glenn Morris  <rgm@gnu.org>
        * text.texi (Buffer Contents):
diff --git a/doc/lispref/package.texi b/doc/lispref/package.texi
index 4bc50b2358f..cac7519671a 100644
--- a/doc/lispref/package.texi
+++ b/doc/lispref/package.texi
@@ -342,3 +342,38 @@ otherwise, an error is raised.
 @noindent
 After you create an archive, remember that it is not accessible in the
 Package Menu interface unless it is in @code{package-archives}.
+@cindex package archive security
+@cindex package signing
+Maintaining a public package archive entails a degree of responsibility.
+When Emacs users install packages from your archive, those packages
+can cause Emacs to run arbitrary code with the permissions of the
+installing user.  (This is true for Emacs code in general, not just
+for packages.)  So you should ensure that your archive is
+well-maintained and keep the hosting system secure.
+  One way to increase the security of your packages is to @dfn{sign}
+them using a crytopgraphic key.  If you have generated a
+private/public gpg key pair, you can use gpg to sign the package like
+this:
+@c FIXME EasyPG / package-x way to do this.
+@example
+gpg -ba -o @var{file}.sig @var{file}
+@end example
+@noindent
+For a single-file package, @var{file} is the package Lisp file;
+for a multi-file package, it is the package tar file.
+You can also sign the archive's contents file in the same way.
+Make the @file{.sig} files available in the same location as the packages.
+You should also make your public key available for people to download;
+e.g., by uploading it to a key server such as @url{http://pgp.mit.edu/}.
+When people install packages from your archive, they can use
+your public key to verify the signatures.
+A full explanation of these matters is outside the scope of this
+manual.  For more information on crytopgraphic keys and signing,
+@pxref{Top,, GnuPG, gnupg, The GNU Privacy Guard Manual}.  Emacs comes
+with an interface to GNU Privacy Guard, @pxref{Top,, EasyPG, epa,
+Emacs EasyPG Assistant Manual}.
diff --git a/etc/NEWS b/etc/NEWS
index bb9784718fc..fce36903c2b 100644
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -817,12 +817,23 @@ Use `electric-indent-mode' instead.
 ** Package
 +++
+*** The package library now supports digital signing of packages.
+Maintainers of package archives should consider signing their packages
+to enhance security.
+++
+**** If the user option `package-check-signature' is non-nil,
+Emacs tries to check package signatures at install time.
+The value `allow-unsigned' allows installation of unsigned packages.
+++
+**** The user option `package-unsigned-archives' lists archives where
+Emacs will not try to check signatures.
+++
 *** New option `package-pinned-packages'.  This is useful if you have multiple
 archives enabled, with more than one offering a package that you want.
-FIXME
-*** New options `package-check-signature' and `package-unsigned-archives'.
 +++
 *** In the `list-packages' buffer, you can use `f' (`package-menu-filter')
 to filter the list of packages by a keyword.
diff --git a/lisp/ChangeLog b/lisp/ChangeLog
index 6bb2147595d..1280e39ec27 100644
--- a/lisp/ChangeLog
+++ b/lisp/ChangeLog
@@ -1,3 +1,8 @@
+2014-06-05  Glenn Morris  <rgm@gnu.org>
+        * emacs-lisp/package.el (package-check-signature)
+        (package-unsigned-archives): Doc fixes.
 2014-06-03  Martin Rudalics  <rudalics@gmx.at>
        * window.el (display-buffer-use-some-window): Don't make window
diff --git a/lisp/emacs-lisp/package.el b/lisp/emacs-lisp/package.el
index 028c57da19c..57a5429f0a1 100644
--- a/lisp/emacs-lisp/package.el
+++ b/lisp/emacs-lisp/package.el
@@ -292,7 +292,12 @@ contrast, `package-user-dir' contains packages for personal use."
  :version "24.1")
 (defcustom package-check-signature 'allow-unsigned
-  "Whether to check package signatures when installing."
+  "Non-nil means to check package signatures when installing.
+The value `allow-unsigned' means to still install a package even if
+it is unsigned.
+This also applies to the \"archive-contents\" file that lists the
+contents of the archive."
  :type '(choice (const nil :tag "Never")
                 (const allow-unsigned :tag "Allow unsigned")
                 (const t :tag "Check always"))
@@ -301,7 +306,7 @@ contrast, `package-user-dir' contains packages for personal use."
  :version "24.4")
 (defcustom package-unsigned-archives nil
-  "A list of archives which do not use package signature."
+  "List of archives where we do not check for package signatures."
  :type '(repeat (string :tag "Archive name"))
  :risky t
  :group 'package
author	Glenn Morris	2014-06-04 23:15:44 -0700
committer	Glenn Morris	2014-06-04 23:15:44 -0700
commit	e1b3f35f9373d71f58638e9dcaffc2ff8c4ab3b6 (patch)
tree	e09363a815ba1488ca47c29aa9e7676b0a43ae5d
parent	a56ae34d229242a065fc87d75d80d07ab14641fe (diff)
download	emacs-e1b3f35f9373d71f58638e9dcaffc2ff8c4ab3b6.tar.gz emacs-e1b3f35f9373d71f58638e9dcaffc2ff8c4ab3b6.zip

diff --git a/doc/emacs/ChangeLog b/doc/emacs/ChangeLog index 27168b00021..6ca98a3f24b 100644 --- a/doc/emacs/ChangeLog +++ b/doc/emacs/ChangeLog
@@ -1,3 +1,8 @@
		1	2014-06-05 Glenn Morris <rgm@gnu.org>
		2
		3	* package.texi (Package Menu, Package Installation):
		4	Mention signed packages.
		5
1	2014-06-03 Glenn Morris <rgm@gnu.org>	6	2014-06-03 Glenn Morris <rgm@gnu.org>
2		7
3	* package.texi (Package Installation): Mention package-pinned-packages.	8	* package.texi (Package Installation): Mention package-pinned-packages.


diff --git a/doc/emacs/package.texi b/doc/emacs/package.texi index 98e3c8ac706..9b7f541ac51 100644 --- a/doc/emacs/package.texi +++ b/doc/emacs/package.texi
@@ -59,8 +59,9 @@ The package's version number (e.g., @samp{11.86}).
59		59
60	@item	60	@item
61	The package's status---normally one of @samp{available} (can be	61	The package's status---normally one of @samp{available} (can be
62	downloaded from the package archive), @samp{installed}, or	62	downloaded from the package archive), @samp{installed},
63	@samp{built-in} (included in Emacs by default).	63	@samp{unsigned} (installed, but not signed; @pxref{Package Signing}),
		64	or @samp{built-in} (included in Emacs by default).
64		65
65	The status can also be @samp{new}. This is equivalent to	66	The status can also be @samp{new}. This is equivalent to
66	@samp{available}, except that it means the package became newly	67	@samp{available}, except that it means the package became newly
@@ -167,6 +168,41 @@ directory name of the package archive. You can alter this list if you
167	wish to use third party package archives---but do so at your own risk,	168	wish to use third party package archives---but do so at your own risk,
168	and use only third parties that you think you can trust!	169	and use only third parties that you think you can trust!
169		170
		171	@anchor{Package Signing}
		172	@cindex package security
		173	@cindex package signing
		174	The maintainers of package archives can increase the trust that you
		175	can have in their packages by @dfn{signing} them. They generate a
		176	private/public pair of crytopgraphic keys, and use the private key to
		177	create a @dfn{signature file} for each package. With the public key, you
		178	can use the signature files to verify who created the package, and
		179	that it has not been modified. A valid signature is not a cast-iron
		180	guarantee that a package is not malicious, so you should still
		181	exercise caution. Package archives should provide instructions
		182	on how you can obtain their public key. One way is to download the
		183	key from a server such as @url{http://pgp.mit.edu/}.
		184	Use @kbd{M-x package-import-keyring} to import the key into Emacs.
		185	Emacs stores package keys in the @file{gnupg} subdirectory
		186	of @code{package-user-dir}.
		187	@c Uncomment this if it becomes true.
		188	@ignore
		189	The public key for the GNU package archive is distributed with Emacs,
		190	in the @file{etc/package-keyring.gpg}. Emacs uses it automatically.
		191	@end ignore
		192
		193	@vindex package-check-signature
		194	@vindex package-unsigned-archives
		195	If the user option @code{package-check-signature} is non-@code{nil},
		196	Emacs attempts to verify signatures when you install packages. If the
		197	option has the value @code{allow-unsigned}, you can still install a
		198	package that is not signed. If you use some archives that do not sign
		199	their packages, you can add them to the list @code{package-unsigned-archives}.
		200
		201	For more information on crytopgraphic keys and signing,
		202	@pxref{Top,, Top, gnupg, The GNU Privacy Guard Manual}.
		203	Emacs comes with an interface to GNU Privacy Guard,
		204	@pxref{Top,, EasyPG, epa, Emacs EasyPG Assistant Manual}.
		205
170	@vindex package-pinned-packages	206	@vindex package-pinned-packages
171	If you have more than one package archive enabled, and some of them	207	If you have more than one package archive enabled, and some of them
172	offer different versions of the same package, you may find the option	208	offer different versions of the same package, you may find the option


diff --git a/doc/lispref/ChangeLog b/doc/lispref/ChangeLog index e4f5c60c2d1..51f74f2eb12 100644 --- a/doc/lispref/ChangeLog +++ b/doc/lispref/ChangeLog
@@ -1,3 +1,7 @@
		1	2014-06-05 Glenn Morris <rgm@gnu.org>
		2
		3	* package.texi (Package Archives): Mention signing packages.
		4
1	2014-05-27 Glenn Morris <rgm@gnu.org>	5	2014-05-27 Glenn Morris <rgm@gnu.org>
2		6
3	* text.texi (Buffer Contents):	7	* text.texi (Buffer Contents):


diff --git a/doc/lispref/package.texi b/doc/lispref/package.texi index 4bc50b2358f..cac7519671a 100644 --- a/doc/lispref/package.texi +++ b/doc/lispref/package.texi
@@ -342,3 +342,38 @@ otherwise, an error is raised.
342	@noindent	342	@noindent
343	After you create an archive, remember that it is not accessible in the	343	After you create an archive, remember that it is not accessible in the
344	Package Menu interface unless it is in @code{package-archives}.	344	Package Menu interface unless it is in @code{package-archives}.
		345
		346	@cindex package archive security
		347	@cindex package signing
		348	Maintaining a public package archive entails a degree of responsibility.
		349	When Emacs users install packages from your archive, those packages
		350	can cause Emacs to run arbitrary code with the permissions of the
		351	installing user. (This is true for Emacs code in general, not just
		352	for packages.) So you should ensure that your archive is
		353	well-maintained and keep the hosting system secure.
		354
		355	One way to increase the security of your packages is to @dfn{sign}
		356	them using a crytopgraphic key. If you have generated a
		357	private/public gpg key pair, you can use gpg to sign the package like
		358	this:
		359
		360	@c FIXME EasyPG / package-x way to do this.
		361	@example
		362	gpg -ba -o @var{file}.sig @var{file}
		363	@end example
		364
		365	@noindent
		366	For a single-file package, @var{file} is the package Lisp file;
		367	for a multi-file package, it is the package tar file.
		368	You can also sign the archive's contents file in the same way.
		369	Make the @file{.sig} files available in the same location as the packages.
		370	You should also make your public key available for people to download;
		371	e.g., by uploading it to a key server such as @url{http://pgp.mit.edu/}.
		372	When people install packages from your archive, they can use
		373	your public key to verify the signatures.
		374
		375	A full explanation of these matters is outside the scope of this
		376	manual. For more information on crytopgraphic keys and signing,
		377	@pxref{Top,, GnuPG, gnupg, The GNU Privacy Guard Manual}. Emacs comes
		378	with an interface to GNU Privacy Guard, @pxref{Top,, EasyPG, epa,
		379	Emacs EasyPG Assistant Manual}.


diff --git a/etc/NEWS b/etc/NEWS index bb9784718fc..fce36903c2b 100644 --- a/etc/NEWS +++ b/etc/NEWS
@@ -817,12 +817,23 @@ Use `electric-indent-mode' instead.
817	** Package	817	** Package
818		818
819	+++	819	+++
		820	*** The package library now supports digital signing of packages.
		821	Maintainers of package archives should consider signing their packages
		822	to enhance security.
		823
		824	+++
		825	**** If the user option `package-check-signature' is non-nil,
		826	Emacs tries to check package signatures at install time.
		827	The value `allow-unsigned' allows installation of unsigned packages.
		828
		829	+++
		830	**** The user option `package-unsigned-archives' lists archives where
		831	Emacs will not try to check signatures.
		832
		833	+++
820	*** New option `package-pinned-packages'. This is useful if you have multiple	834	*** New option `package-pinned-packages'. This is useful if you have multiple
821	archives enabled, with more than one offering a package that you want.	835	archives enabled, with more than one offering a package that you want.
822		836
823	FIXME
824	*** New options `package-check-signature' and `package-unsigned-archives'.
825
826	+++	837	+++
827	*** In the `list-packages' buffer, you can use `f' (`package-menu-filter')	838	*** In the `list-packages' buffer, you can use `f' (`package-menu-filter')
828	to filter the list of packages by a keyword.	839	to filter the list of packages by a keyword.


diff --git a/lisp/ChangeLog b/lisp/ChangeLog index 6bb2147595d..1280e39ec27 100644 --- a/lisp/ChangeLog +++ b/lisp/ChangeLog
@@ -1,3 +1,8 @@
		1	2014-06-05 Glenn Morris <rgm@gnu.org>
		2
		3	* emacs-lisp/package.el (package-check-signature)
		4	(package-unsigned-archives): Doc fixes.
		5
1	2014-06-03 Martin Rudalics <rudalics@gmx.at>	6	2014-06-03 Martin Rudalics <rudalics@gmx.at>
2		7
3	* window.el (display-buffer-use-some-window): Don't make window	8	* window.el (display-buffer-use-some-window): Don't make window


diff --git a/lisp/emacs-lisp/package.el b/lisp/emacs-lisp/package.el index 028c57da19c..57a5429f0a1 100644 --- a/lisp/emacs-lisp/package.el +++ b/lisp/emacs-lisp/package.el
@@ -292,7 +292,12 @@ contrast, `package-user-dir' contains packages for personal use."
292	:version "24.1")	292	:version "24.1")
293		293
294	(defcustom package-check-signature 'allow-unsigned	294	(defcustom package-check-signature 'allow-unsigned
295	"Whether to check package signatures when installing."	295	"Non-nil means to check package signatures when installing.
		296	The value `allow-unsigned' means to still install a package even if
		297	it is unsigned.
		298
		299	This also applies to the \"archive-contents\" file that lists the
		300	contents of the archive."
296	:type '(choice (const nil :tag "Never")	301	:type '(choice (const nil :tag "Never")
297	(const allow-unsigned :tag "Allow unsigned")	302	(const allow-unsigned :tag "Allow unsigned")
298	(const t :tag "Check always"))	303	(const t :tag "Check always"))
@@ -301,7 +306,7 @@ contrast, `package-user-dir' contains packages for personal use."
301	:version "24.4")	306	:version "24.4")
302		307
303	(defcustom package-unsigned-archives nil	308	(defcustom package-unsigned-archives nil
304	"A list of archives which do not use package signature."	309	"List of archives where we do not check for package signatures."
305	:type '(repeat (string :tag "Archive name"))	310	:type '(repeat (string :tag "Archive name"))
306	:risky t	311	:risky t
307	:group 'package	312	:group 'package