Re: PGP verification of package-index files

SY> |--==> "APA" == Adrian Aichner <Adrian.Aichner(a)t-online.de&gt; writes: >> SY> Hi Folks! SY> I've just committed a patch to XEmacs 21.5 that fixes the PGP code in SY> the package tools. SY> Could I please ask those of you who have PGP to test this for me. I SY> want to hear of successes _and_ failures. APA> Here goes: APA> 1. APA> (locate-file "gpg" exec-path) APA> won't do it on Windows, patch forthcoming to use APA> (locate-file "gpg" exec-path exec-suffix-list) I have already commited a patch for the above. SY> Okay, I'll leave that up to you, Adrian. APA> 2. APA> Signaling: (void-function mc-verify) SY> Fixed in CVS shortly (just gotta send in a patch) Yep, mc-verify is woking now. APA> 3. APA> Signaling: (process-error "Searching for program" "/bin/sh") APA> OK, small patch to mailcrypt.el is in order. SY> Sounds like a Windoze[tm] kinda thang. Can you take care of this as SY> well, please Adrian? I have sent in a BIG patch for your approval. Apparently many packages suffer from this problem. Please advise. A locally built mailcrypt package has the above problem fixed. APA> 4. APA> OK, now I have to admit I'm new to PGP. APA> Following failure is due to this: APA> gpg: Signature made 07/30/99 03:48:55 using DSA key ID DCF80B6B APA> gpg: Can't check signature: public key not found SY> Okay. That's not my key. It has the comment "XEmacs distribution key SY> blah blah the key used for signing XEmacs distributions". SY> I can't use that to sign the package-index files because I don't have SY> the secret key for it. And it'd be a pretty big breach of security if SY> someone was to give it to me, so I don't want it. APA> 5. APA> Trying to snarf APA> /ftp＠ftp.xemacs.org:/pub/xemacs/pgp-keys/steve_youngs.asc APA> with mailcrypt-snarf, I get: SY> If you've got 'steve_youngs.asc' still on your system, try doing it SY> manually: SY> gpg --import /path/to/steve_youngs.asc SY> And then to make sure that it is there: SY> gpg --list-keys Right now I have cd C:\Users\AichnerAd\ gpg --list-keys Compilation started at Sun Dec 02 23:17:16 2001 +0100 (W. Europe Standard Time) c:/gnupg/pubring.gpg -------------------- pub 1024D/10D5C9C5 2001-12-02 Steve Youngs <youngs(a)xemacs.org&gt; sub 1024g/12E1DF0C 2001-12-02 Compilation finished at Sun Dec 02 23:17:16 Now I save /ftp.xemacs.org:/pub/xemacs/pgp-keys/steve_youngs.asc locally and import it: cd c:\Users\AichnerAd\www.xemacs.org\ftp\xemacs\pgp-keys\ gpg --import steve_youngs.asc Compilation started at Sun Dec 02 23:39:01 2001 +0100 (W. Europe Standard Time) gpg: key 10D5C9C5: not changed gpg: Total number processed: 1 gpg: unchanged: 1 Compilation finished at Sun Dec 02 23:39:01 The listed keys are still the same as above! SY> The new key (mine) will be the last one on the list. APA> I have this installed: APA> gpg (GnuPG) 1.0.6 SY> This is good. It's what I use. APA> Signaling: (error "No key import status: your GnuPG is too old.") SY> Don't know. I can only presume that it had something to do with your SY> mailcrypt-snarf going wrong. APA> Where do I go from here? SY> Well, hopefully, once I commit a patch to fix a couple of things SY> you've mentioned, and you get those windozie patches in, everything SY> will be "honky-dory". Not quite. Now I get: Signaling: (error "The message was corrupt.") signal(error ("The message was corrupt.")) cerror("The message was corrupt.") apply(cerror "The message was corrupt." nil) error("The message was corrupt.") mc-gpg-verify-parser(#<buffer " *mailcrypt stdout temp"> #<buffer " *mailcrypt stderr temp"> #<buffer " *mailcrypt status temp"> 2 nil) mc-gpg-process-region(1 46330 nil "gpg" ("--batch" "--verify") mc-gpg-verify-parser #<buffer "*MailCrypt*">) mc-gpg-verify-region(1 46330) mc-verify-signature() mc-verify() package-get-update-base-from-buffer(#<buffer "*package database*">) #<compiled-function (&optional db-file force-current) "...(62)" [force-current buf db-file expand-file-name package-get-locate-index-file file-exists-p error "Package-get database file `%s' does not exist" file-readable-p "Package-get database file `%s' not readable" get-buffer-create "*package database*" (...) erase-buffer insert-file-contents-literally package-get-update-base-from-buffer file-remote-p package-get-maybe-save-index] 3 ("c:\\Hacking\\XEmacs\\xemacs-21.5\\lisp\\package-get.elc" . 10952) (let (...) (list ...))>("C:\\Program Files\\XEmacs\\XEmacs-21.4.6\\etc\\package-index.LATEST.pgp") call-interactively(package-get-update-base) and " *mailcrypt stderr temp" has this: gpg: Signature made 07/30/99 03:48:55 using DSA key ID DCF80B6B gpg: Can't check signature: public key not found "*MailCrypt*" is empty even though the PGP SIGNATURE is found in "*package database*" Where to next? Adrian SY> -- SY> |---<Steve Youngs>---------------<GnuPG KeyID: 10D5C9C5>---| SY> | XEmacs - It's not just an editor. | SY> | It's a way of life. | SY> |------------------------------------&lt;youngs(a)xemacs.org&gt;---| -- Adrian Aichner mailto:adrian＠xemacs.org http://www.xemacs.org/