diff options
| author | Craig Jennings <c@cjennings.net> | 2026-07-01 22:14:07 -0400 |
|---|---|---|
| committer | Craig Jennings <c@cjennings.net> | 2026-07-01 22:14:07 -0400 |
| commit | 8809ad3e909ff441dfaa3c6b7fe80eaad0bd1e28 (patch) | |
| tree | e7a452b070b6f698681de93814a6bbf620e0df1d | |
| parent | 4ea52a61560b6fa25b3d04f484c1ab140c723133 (diff) | |
| download | dotemacs-8809ad3e909ff441dfaa3c6b7fe80eaad0bd1e28.tar.gz dotemacs-8809ad3e909ff441dfaa3c6b7fe80eaad0bd1e28.zip | |
fix(packages): verify signatures as allow-unsigned, keep GNU keys fresh
package-check-signature was nil, skipping verification everywhere. allow-unsigned verifies signatures when an archive provides them while still accepting the unsigned local mirror and .localrepo packages. gnu-elpa-keyring-update installs at bootstrap (non-fatal on failure) so an expired GNU archive key stops being a reason to turn verification off.
| -rw-r--r-- | early-init.el | 23 |
1 files changed, 20 insertions, 3 deletions
diff --git a/early-init.el b/early-init.el index f2ed5bfa..d59f0a8b 100644 --- a/early-init.el +++ b/early-init.el @@ -253,9 +253,26 @@ early-init.el.") ;;(require 'use-package-ensure) ; Needed for :ensure to work (setq use-package-always-ensure t) ; Auto-install packages -;; Package signature checking -(setq package-check-signature nil) -;; (setq package-check-signature t) +;; Keep the GNU ELPA signing keys current so signature verification doesn't +;; start failing when the archive key expires (the usual reason verification +;; gets turned off). Failure is non-fatal so a clean-machine bootstrap or an +;; offline start still comes up. +(unless (package-installed-p 'gnu-elpa-keyring-update) + (condition-case err + (progn + (unless package-archive-contents + (package-refresh-contents)) + (package-install 'gnu-elpa-keyring-update)) + (error (message "Failed to install gnu-elpa-keyring-update: %s" + (error-message-string err))))) + +;; Package signature checking: verify signatures when an archive provides +;; them, but allow unsigned packages. The checked-in .localrepo and the local +;; ELPA mirrors serve unsigned packages, so t would reject them, and nil +;; skipped verification everywhere. If an expired archive key still wedges an +;; install, temporarily set this to nil (see the commented toggle near the +;; top of this file), install the keyring update, and restore. +(setq package-check-signature 'allow-unsigned) ;; Optional but recommended for better error messages during config loading ;;(setq use-package-expand-minimally nil) ; Better error reporting |
