From 8809ad3e909ff441dfaa3c6b7fe80eaad0bd1e28 Mon Sep 17 00:00:00 2001 From: Craig Jennings Date: Wed, 1 Jul 2026 22:14:07 -0400 Subject: fix(packages): verify signatures as allow-unsigned, keep GNU keys fresh package-check-signature was nil, skipping verification everywhere. allow-unsigned verifies signatures when an archive provides them while still accepting the unsigned local mirror and .localrepo packages. gnu-elpa-keyring-update installs at bootstrap (non-fatal on failure) so an expired GNU archive key stops being a reason to turn verification off. --- early-init.el | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) (limited to 'early-init.el') diff --git a/early-init.el b/early-init.el index f2ed5bfa..d59f0a8b 100644 --- a/early-init.el +++ b/early-init.el @@ -253,9 +253,26 @@ early-init.el.") ;;(require 'use-package-ensure) ; Needed for :ensure to work (setq use-package-always-ensure t) ; Auto-install packages -;; Package signature checking -(setq package-check-signature nil) -;; (setq package-check-signature t) +;; Keep the GNU ELPA signing keys current so signature verification doesn't +;; start failing when the archive key expires (the usual reason verification +;; gets turned off). Failure is non-fatal so a clean-machine bootstrap or an +;; offline start still comes up. +(unless (package-installed-p 'gnu-elpa-keyring-update) + (condition-case err + (progn + (unless package-archive-contents + (package-refresh-contents)) + (package-install 'gnu-elpa-keyring-update)) + (error (message "Failed to install gnu-elpa-keyring-update: %s" + (error-message-string err))))) + +;; Package signature checking: verify signatures when an archive provides +;; them, but allow unsigned packages. The checked-in .localrepo and the local +;; ELPA mirrors serve unsigned packages, so t would reject them, and nil +;; skipped verification everywhere. If an expired archive key still wedges an +;; install, temporarily set this to nil (see the commented toggle near the +;; top of this file), install the keyring update, and restore. +(setq package-check-signature 'allow-unsigned) ;; Optional but recommended for better error messages during config loading ;;(setq use-package-expand-minimally nil) ; Better error reporting -- cgit v1.2.3