Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Patch Emacsen < 27 to use the newer logic for when package-check-signature is t #296

Merged
merged 1 commit into from
Aug 9, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions emacs.nix
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,8 @@ stdenv.mkDerivation rec {
] ++ lib.optionals
(lib.versionAtLeast version "24.3" && lib.versionOlder version "26.3")
[ ./patches/gnutls-e_again.patch ] ++ lib.optionals
(lib.versionAtLeast version "25.1" && lib.versionOlder version "27.1")
[ ./patches/package-check-signature-all.patch ] ++ lib.optionals
(lib.versionAtLeast version "25.1" && lib.versionOlder version "28.1")
[ ./patches/sigsegv-stack.patch ] ++ lib.optionals (stdenv.isDarwin
&& lib.versionAtLeast version "25.1" && lib.versionOlder version "26.1")
Expand Down
44 changes: 44 additions & 0 deletions patches/package-check-signature-all.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
Based on upstream commit 3c1967dbfe06b28ac074aee1e55a79bacfc36f8d

diff --git a/lisp/emacs-lisp/package.el b/lisp/emacs-lisp/package.el
index 61cf6906971..949ad711ae3 100644
--- a/lisp/emacs-lisp/package.el
+++ b/lisp/emacs-lisp/package.el
@@ -334,16 +334,22 @@ default directory."
(epg-find-configuration 'OpenPGP))
'allow-unsigned)
"Non-nil means to check package signatures when installing.
-The value `allow-unsigned' means to still install a package even if
-it is unsigned.
+More specifically the value can be:
+- nil: package signatures are ignored.
+- `allow-unsigned': install a package even if it is unsigned,
+ but if it is signed and we have the key for it, verify the signature.
+- t: accept a package only if it comes with at least one verified signature.
+- `all': same as t, except when the package has several signatures,
+ in which case we verify all the signatures.

This also applies to the \"archive-contents\" file that lists the
contents of the archive."
:type '(choice (const nil :tag "Never")
(const allow-unsigned :tag "Allow unsigned")
- (const t :tag "Check always"))
+ (const t :tag "Check always")
+ (const all :tag "Check all signatures"))
:risky t
- :version "24.4")
+ :version "27.1")

(defcustom package-unsigned-archives nil
"List of archives where we do not check for package signatures."
@@ -1257,7 +1263,9 @@ errors."
(unless (and (eq package-check-signature 'allow-unsigned)
(eq (epg-signature-status sig) 'no-pubkey))
(setq had-fatal-error t))))
- (when (or (null good-signatures) had-fatal-error)
+ (when (or (null good-signatures)
+ (and (eq package-check-signature 'all)
+ had-fatal-error))
(package--display-verify-error context sig-file)
(signal 'bad-signature (list sig-file)))
good-signatures)))