How to proceed on package.el signature check failure

Question

I just tried to install ascii-art-to-unicode from the gnu repository (http://elpa.gnu.org/) via list-packages. I get the following error:

package--check-signature: Failed to verify signature 
   ascii-art-to-unicode-1.9.el.sig: ("No public key 
   for 474F05837FBDEF9B created at 2014-09-24T16:20:01+0200 
   using DSA")

I'm using cask/pallet to manage my packages; is there some setup I missed? Some recent changes to elpa?

I'm using an emacs 24.4 pre-release.

I had a similar problem today updating org-mode from elpa (though I used package.el). Might be a temporary problem with their servers. — Malabarba, Sep 25 '14 at 13:38

score 58 · Accepted Answer · edited Aug 24 '21 at 21:37

58

set package-check-signature to nil, e.g. M-: (setq package-check-signature nil) RET
download the package gnu-elpa-keyring-update and run the function with the same name, e.g. M-x package-install RET gnu-elpa-keyring-update RET.
reset package-check-signature to the default value allow-unsigned, e.g. M-: (setq package-check-signature "allow-unsigned") RET

This worked for me.

As stated in the package the following holds:

If your keys are already too old, causing signature verification errors when installing packages, then in order to install this package you can do the following:

Fetch the new key manually, e.g. with something like:

gpg --homedir ~/.emacs.d/elpa/gnupg --receive-keys 066DAFCB81E42C40

Modify the expiration date of the old key, e.g. with something like:

gpg --homedir ~/.emacs.d/elpa/gnupg \
    --quick-set-expire 474F05837FBDEF9B 1y

temporarily disable signature verification (see variable `package-check-signature').

edited Aug 24 '21 at 21:37

Community

1

answered Oct 14 '19 at 17:21

joe_maya

736
6
8

3

It shouldn't be necessary to explicitly run the function: installing the package should be sufficient because it should run the function for you automatically. – Stefan Oct 14 '19 at 18:31
Ahh ok. Hard to test it now that it works, but I think you're right. – joe_maya Oct 14 '19 at 23:43
4

In case someone else is as confused as me: the command for step 3 is `M-: (setq package-check-signature "allow-unsigned") RET` with quotations – user2740 Feb 18 '20 at 19:19
4

When trying to install gnu-elpa-keyring-update, I only get a [no match] message. Could you please help @joe_maya – Leo Aug 27 '20 at 13:18
@Leo try `M-x package-refresh-contents` before installing `gnu-elpa-keyring-update`, it should solve the [no match] issue – user2739472 Jun 11 '21 at 13:39

score 17 · Answer 2 · answered Dec 17 '14 at 23:35

17

FWIW - I had this issue with the signature org-20140407.tar.sig. Like Sigma's package-check-signature is/was allow-unsigned.

I changed the package-check-signature value to nil and the problem was resolved.

answered Dec 17 '14 at 23:35

Nelson Ingersoll

171
1
3

1

Thanks! I would never guess that "allow-unsigned" doesn't mean what it supposed to mean... – avp Sep 23 '19 at 07:59
2

If you set it to nil, make sure you access the `elpa.gnu.org` repository via HTTPS, otherwise you're opening yourself to easy security attacks. – Stefan Sep 27 '19 at 14:29
1

@avp: `allow-unsigned` means that you allow installing packages which don't have signatures. But this package *does* have a signature (one you can't check because you don't have the needed key in your keyring)! – Stefan Sep 01 '20 at 01:38

score 15 · Answer 3 · answered Nov 25 '19 at 13:02

15

If you try to install the package gnu-elpa-keyring-update (which seems to have the purpose of updating the keys used by the package manager), you will see in its description that you can do:

gpg --homedir ~/.emacs.d/elpa/gnupg --receive-keys 066DAFCB81E42C40

on the commandline to get new keys manually. To make sure you are asking for the correct key (066DAFCB81E42C40 in the example above), check the error message that emacs gives you when you try to install any package.

answered Nov 25 '19 at 13:02

Johan

315
2
6

this command gives me an error: "gpg: keyserver receive failed: Server indicated a failure" (Windows 10 Pro + WSL 2 +Ubuntu 18.04) – mcExchange Jul 14 '22 at 06:10
same on Ubuntu 18.04 (native) – mcExchange Jul 14 '22 at 13:21

score 5 · Answer 4 · answered Sep 25 '14 at 17:28

5

It appears that the key used to sign this package (474F05837FBDEF9B) is indeed not published (therefore cannot be signed, therefore cannot be trusted). But it would seem that package.el is supposed to fail gracefully (for now) in such cases:

;; If package-check-signature is allow-unsigned, don't
;; signal error when we can't verify signature because of
;; missing public key.  Other errors are still treated as
;; fatal (bug#17625).
(unless (and (eq package-check-signature 'allow-unsigned)
             (eq (epg-signature-status sig) 'no-pubkey))
  (setq had-fatal-error t))

So I'm wondering if for some reason your value of package-check-signature is different than its default value of allow-unsigned ?

answered Sep 25 '14 at 17:28

Sigma

4,510
21
27

`package-check-signature` is `allow-unsigned`; that leaves the `epg-signature-status` -- hmm. – Tom Regner Sep 26 '14 at 07:06
`sig=[cl-struct-epg-signature bad 474F05837FBDEF9B nil nil nil nil nil nil nil nil nil] status=bad` - note that the problem is still present. – sds Feb 02 '16 at 19:00
1

`allow-unsigned` means to allow installation of packages that are not signed, as opposed to packages which are signed but whose signature you're not able to verify. This is used so you can install from ELPA archives which don't sign their packages (MELPA was like that last time I checked). – Stefan Sep 27 '19 at 14:24

score 5 · Answer 5 · answered Dec 29 '19 at 06:01

5

The answers here are a bit dated. This issue seems to have been fixed as of emacs 26.3.

answered Dec 29 '19 at 06:01

Arvind Parthasarathy

51
1
1

1

Emacs 27.2 on Windows has the problem. – ruby_object Sep 26 '21 at 01:12

score 3 · Answer 6 · edited Feb 11 '20 at 14:00

3

Alternatively, you could upgrade to a newer emacs, e.g. on Ubuntu:

sudo add-apt-repository ppa:ubuntu-elisp/ppa
sudo apt-get update
sudo apt-get install emacs-snapshot

This way you avoid doing all this: https://elpa.gnu.org/packages/gnu-elpa-keyring-update.html

edited Feb 11 '20 at 14:00

Robert Houghton

105
5

answered Oct 15 '19 at 04:06

serv-inc

816
6
26

score 2 · Answer 7 · edited Nov 22 '19 at 17:10

2

get the puglic key with:

gpg2 --homedir ~/.emacs.d/elpa/gnupg --receive-keys 066DAFCB81E42C40

Attention: your version could be a different key !

edited Nov 22 '19 at 17:10

Stefan

26,154
3
46
84

answered Nov 22 '19 at 17:00

sdhd

21
2

score 1 · Answer 8 · edited Sep 25 '19 at 01:25

1

Setting package-check-signature to nil instead of the default allow-unsigned fixed this for me.

Fedora 29, GNU Emacs 26.2 (build 1, x86_64-redhat-linux-gnu, GTK+ Version 3.24.8) of 2019-04-30

edited Sep 25 '19 at 01:25

Stefan

26,154
3
46
84

answered Sep 25 '19 at 00:41

P. Hawkins

11
1

how do I set "package-check-signature to nil" ? which file do I need to edit? init.el? – mcExchange Jul 14 '22 at 13:23

score 0 · Answer 9 · answered May 24 '20 at 02:25

0

I get:

 % gpg --homedir ~/.emacs.d/elpa/gnupg --receive-keys 066DAFCB81E42C40
gpg: key 066DAFCB81E42C40: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1

answered May 24 '20 at 02:25

Chelmite

121
4

How to proceed on package.el signature check failure

9 Answers9

Linked