* Bastien <b...@gnu.org> [2020-11-05 20:19]: > Hi Jean Louis, > > Jean Louis <bugs@gnu.support> writes: > > > GNU ELPA provides signed archive-contents. Org should provide it too, > > isn't it? > > can you let us know what are the steps involved in signing > the archive-contents file?
This I find out as I have the variable `package-check-signature' turned on. Majority who are getting Emacs with value `allow-unsigned' will not even see that. Documentation: Non-nil means to check package signatures when installing. More specifically the value can be: - nil: package signatures are ignored. - `allow-unsigned': install a package even if it is unsigned, but if it is signed, we have the key for it, and OpenGPG is installed, verify the signature. - t: accept a package only if it comes with at least one verified signature. - `all': same as t, except when the package has several signatures, in which case we verify all the signatures. You may probably automate it. It is in the Emacs Lisp manual: 41.4 Creating and Maintaining Package Archives ============================================== One way to increase the security of your packages is to “sign” them using a cryptographic key. If you have generated a private/public gpg key pair, you can use gpg to sign the package like this: gpg -ba -o FILE.sig FILE For a single-file package, FILE is the package Lisp file; for a multi-file package, it is the package tar file. You can also sign the archive’s contents file in the same way. Make the ‘.sig’ files available in the same location as the packages. You should also make your public key available for people to download; e.g., by uploading it to a key server such as <https://pgp.mit.edu/>. When people install packages from your archive, they can use your public key to verify the signatures. A full explanation of these matters is outside the scope of this manual. For more information on cryptographic keys and signing, *note GnuPG: (gnupg)Top. Emacs comes with an interface to GNU Privacy Guard, *note EasyPG: (epa)Top.