* lisp/emacs-lisp/packages.el: Add all to package-check-signature

(package-check-signature): Add `all` option. (package--check-signature-content): Adjust accordingly.
2019-05-12 13:03:24 -04:00 · 2019-05-12 13:03:24 -04:00 · 3c1967dbfe
commit 3c1967dbfe
parent 29531785a1
2 changed files with 19 additions and 5 deletions
--- a/etc/NEWS
+++ b/etc/NEWS
@ -718,6 +718,12 @@ it can't find the config file.

 ** Package

+*** Change of 'package-check-signature' for packages with multiple sigs
+In previous Emacsen, 't' checked that all signatures are valid.
+Now 't' only checks that at least one signature is valid and the new 'all'
+value needs to be used if you want to enforce that all signatures
+are valid.  This only affects packages with multiple signatures.
+
 *** New function 'package-get-version' lets packages query their own version.
 Example use in auctex.el: '(defconst auctex-version (package-get-version))'

--- a/lisp/emacs-lisp/package.el
+++ b/lisp/emacs-lisp/package.el
@ -334,16 +334,22 @@ default directory."
           (epg-find-configuration 'OpenPGP))
      'allow-unsigned)
  "Non-nil means to check package signatures when installing.
-The value `allow-unsigned' means to still install a package even if
-it is unsigned.
+More specifically the value can be:
+- nil: package signatures are ignored.
+- `allow-unsigned': install a package even if it is unsigned,
+  but if it is signed and we have the key for it, verify the signature.
+- t: accept a package only if it comes with at least one verified signature.
+- `all': same as t, except when the package has several signatures,
+  in which case we verify all the signatures.

 This also applies to the \"archive-contents\" file that lists the
 contents of the archive."
  :type '(choice (const nil :tag "Never")
                 (const allow-unsigned :tag "Allow unsigned")
-                 (const t :tag "Check always"))
+                 (const t :tag "Check always")
+                 (const all :tag "Check all signatures"))
  :risky t
-  :version "24.4")
+  :version "27.1")

 (defcustom package-unsigned-archives nil
  "List of archives where we do not check for package signatures."
@ -1257,7 +1263,9 @@ errors."
          (unless (and (eq package-check-signature 'allow-unsigned)
                       (eq (epg-signature-status sig) 'no-pubkey))
            (setq had-fatal-error t))))
-      (when (or (null good-signatures) had-fatal-error)
+      (when (or (null good-signatures)
+                (and (eq package-check-signature 'all)
+                     had-fatal-error))
        (package--display-verify-error context sig-file)
        (signal 'bad-signature (list sig-file)))
      good-signatures)))