diff options
| author | Jens Lechtenboerger | 2017-04-11 12:27:37 +0300 |
|---|---|---|
| committer | Eli Zaretskii | 2017-04-11 12:27:37 +0300 |
| commit | 695eacc21ea08b7fa080a232eadae881b5295bef (patch) | |
| tree | 175dfbbc0bb302b0d2554ade99b0b3cf07090119 /doc | |
| parent | 291b76f91ea991c9fa8e57b55df1b68704931445 (diff) | |
| download | emacs-695eacc21ea08b7fa080a232eadae881b5295bef.tar.gz emacs-695eacc21ea08b7fa080a232eadae881b5295bef.zip | |
Introduce customizable variable 'package-gnupghome-dir'
* lisp/emacs-lisp/package.el (package-import-keyring)
(package--check-signature-content, package-check-signature):
Use new variable package-gnupghome-dir to control which GnuPG
homedir to use.
* doc/emacs/package.texi: Mention package-gnupghome-dir.
* etc/NEWS: Mention package-gnupghome-dir.
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/emacs/package.texi | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/doc/emacs/package.texi b/doc/emacs/package.texi index d6f88aaec3c..ecc955d3efe 100644 --- a/doc/emacs/package.texi +++ b/doc/emacs/package.texi | |||
| @@ -193,15 +193,22 @@ and use only third parties that you think you can trust! | |||
| 193 | can have in their packages by @dfn{signing} them. They generate a | 193 | can have in their packages by @dfn{signing} them. They generate a |
| 194 | private/public pair of cryptographic keys, and use the private key to | 194 | private/public pair of cryptographic keys, and use the private key to |
| 195 | create a @dfn{signature file} for each package. With the public key, you | 195 | create a @dfn{signature file} for each package. With the public key, you |
| 196 | can use the signature files to verify who created the package, and | 196 | can use the signature files to verify the package creator and make sure |
| 197 | that it has not been modified. A valid signature is not a cast-iron | 197 | the package has not been tampered with. Signature verification uses |
| 198 | @uref{https://www.gnupg.org/, the GnuPG package} via the EasyPG | ||
| 199 | interface (@pxref{Top,, EasyPG, epa, Emacs EasyPG Assistant Manual}). | ||
| 200 | A valid signature is not a cast-iron | ||
| 198 | guarantee that a package is not malicious, so you should still | 201 | guarantee that a package is not malicious, so you should still |
| 199 | exercise caution. Package archives should provide instructions | 202 | exercise caution. Package archives should provide instructions |
| 200 | on how you can obtain their public key. One way is to download the | 203 | on how you can obtain their public key. One way is to download the |
| 201 | key from a server such as @url{http://pgp.mit.edu/}. | 204 | key from a server such as @url{http://pgp.mit.edu/}. |
| 202 | Use @kbd{M-x package-import-keyring} to import the key into Emacs. | 205 | Use @kbd{M-x package-import-keyring} to import the key into Emacs. |
| 203 | Emacs stores package keys in the @file{gnupg} subdirectory | 206 | Emacs stores package keys in the directory specified by the variable |
| 204 | of @code{package-user-dir}. | 207 | @code{package-gnupghome-dir}, by default in the @file{gnupg} |
| 208 | subdirectory of @code{package-user-dir}, which causes Emacs to invoke | ||
| 209 | GnuPG with the option @samp{--homedir} when verifying signatures. | ||
| 210 | If @code{package-gnupghome-dir} is @code{nil}, GnuPG's option | ||
| 211 | @samp{--homedir} is omitted. | ||
| 205 | The public key for the GNU package archive is distributed with Emacs, | 212 | The public key for the GNU package archive is distributed with Emacs, |
| 206 | in the @file{etc/package-keyring.gpg}. Emacs uses it automatically. | 213 | in the @file{etc/package-keyring.gpg}. Emacs uses it automatically. |
| 207 | 214 | ||