aboutsummaryrefslogtreecommitdiff
path: root/early-init.el
diff options
context:
space:
mode:
authorCraig Jennings <c@cjennings.net>2026-07-01 22:14:07 -0400
committerCraig Jennings <c@cjennings.net>2026-07-01 22:14:07 -0400
commit8809ad3e909ff441dfaa3c6b7fe80eaad0bd1e28 (patch)
treee7a452b070b6f698681de93814a6bbf620e0df1d /early-init.el
parent4ea52a61560b6fa25b3d04f484c1ab140c723133 (diff)
downloaddotemacs-8809ad3e909ff441dfaa3c6b7fe80eaad0bd1e28.tar.gz
dotemacs-8809ad3e909ff441dfaa3c6b7fe80eaad0bd1e28.zip
fix(packages): verify signatures as allow-unsigned, keep GNU keys fresh
package-check-signature was nil, skipping verification everywhere. allow-unsigned verifies signatures when an archive provides them while still accepting the unsigned local mirror and .localrepo packages. gnu-elpa-keyring-update installs at bootstrap (non-fatal on failure) so an expired GNU archive key stops being a reason to turn verification off.
Diffstat (limited to 'early-init.el')
-rw-r--r--early-init.el23
1 files changed, 20 insertions, 3 deletions
diff --git a/early-init.el b/early-init.el
index f2ed5bfa..d59f0a8b 100644
--- a/early-init.el
+++ b/early-init.el
@@ -253,9 +253,26 @@ early-init.el.")
;;(require 'use-package-ensure) ; Needed for :ensure to work
(setq use-package-always-ensure t) ; Auto-install packages
-;; Package signature checking
-(setq package-check-signature nil)
-;; (setq package-check-signature t)
+;; Keep the GNU ELPA signing keys current so signature verification doesn't
+;; start failing when the archive key expires (the usual reason verification
+;; gets turned off). Failure is non-fatal so a clean-machine bootstrap or an
+;; offline start still comes up.
+(unless (package-installed-p 'gnu-elpa-keyring-update)
+ (condition-case err
+ (progn
+ (unless package-archive-contents
+ (package-refresh-contents))
+ (package-install 'gnu-elpa-keyring-update))
+ (error (message "Failed to install gnu-elpa-keyring-update: %s"
+ (error-message-string err)))))
+
+;; Package signature checking: verify signatures when an archive provides
+;; them, but allow unsigned packages. The checked-in .localrepo and the local
+;; ELPA mirrors serve unsigned packages, so t would reject them, and nil
+;; skipped verification everywhere. If an expired archive key still wedges an
+;; install, temporarily set this to nil (see the commented toggle near the
+;; top of this file), install the keyring update, and restore.
+(setq package-check-signature 'allow-unsigned)
;; Optional but recommended for better error messages during config loading
;;(setq use-package-expand-minimally nil) ; Better error reporting