ELPA signing key expired
kelleyk opened this issue · 3 comments
An email from Eugene J. (thank you!) has tipped me off that a GPG key related to the PPA has apparently expired. This apparently came up in a Gitter chat related to Spacemacs (https://gitter.im/syl20bnr/spacemacs?at=5de67bce9319bb5190d6f67d). I haven't had a chance to investigate the actual issue yet.
[Edit:] Aha: this looks like it might be a problem with the rotation of the ELPA signing key supplied with Emacs, which broke my personal installation until I figured out how to update the key.
I think it only affects Emacs 25.x This is how error log looks it is Emacs 25 CI. Emacs 26 is ok.
That would make sense. The original key was generated in 2014-09 and, after a five-year life, expired in 2019-09. A new key was generated in 2019-04; it also has a five-year life, so it will expire in 2024-04. This key was added to the keyring in 26f9a77. This was backported to Emacs 26.3 as 916510b.
Users who are impacted will want to follow the directions in the README for the gnu-elpa-keyring-update package and then (once ELPA is working again for you) install that package. As long as you're installing package updates semi-regularly, you will then get new signing keys before the old ones expire.
I believe that I recall (from when this issue hit my own installation) that installing a newer version of Emacs did not actually resolve the issue, because doing that didn't blow away the existing ~/.emacs.d/elpa/gnupg directory, which contains only the older, expired keys.
I'm not sure how to feel about updating my packages for older versions of Emacs to include newer signing keys, but it should not be difficult. Comments from folks using the packages would be welcome.
I've cherry-picked 26f9a77 onto the 25.3 branch as c09215a and pushed new emacs25 packages. Any Emacs 25 packages from the PPA with version 25.3~2 or later should include the new 2019 signing key, which expires in 2024.
Please let me know if there is any trouble with these new packages, since I don't personally use Emacs 25 any longer!