Re: verifying PGP signed package-index files

|--==> "SJT" == Stephen J Turnbull <stephen(a)xemacs.org&gt; writes: SY> Another thing that concerns me is that if I apply the patch to SY> fix the PGP stuff and then start signing the package-index SY> files it'll bugger up any XEmacsen that is pre-PGP-patch. SJT> Why is that? Oh, because the current code looks for the signature, SJT> and if it's not there, asks if it's OK---but if it were there but SJT> wrong, it would barf? It barfs because the verification code is wrong, and there is no way for the user to tell it not to verify the sig. And from what I can tell, even if the code did work it would only work for PGP 2.6. If you used PGP 5 or GnuPG, you'd be sunk. My code will only attempt to verify the sig if 'package-get-require-signed-base-updates' is non-nil and a sig exists. It also sets the PGP version for MailCrypt depending on what you have installed. SJT> What you could do is change the name of the signature, that way only SJT> patched XEmacsen would know that the signature exists. Put in an SJT> option not to use it. So maintain 2 separate package-index files... a signed one for the bleeding edge crowd, and an unsigned one for everyone else? Possible, but I'd have to automate it so as to reduce the chances of them getting messed up or out of sync. -- |---<Steve Youngs>---------------<GnuPG KeyID: 9E7E2820>---| | XEmacs - It's not just an editor. | | It's a way of life. | |------------------------------------&lt;youngs(a)xemacs.org&gt;---|