0

I was trying to install Emacs on my Windows 8.1 machine (thus WSL is not an option). I downloaded the file from a mirror (emacs-26.3-x86_64.zip), along with his signature (emacs-26.3-x86_64.zip.sig). However, when I try to verify it with Cygwin, I get this:

$ gpg --verify emacs-26.3-x86_64.zip.sig emacs-26.3-x86_64.zip
  gpg: Signature made 08/30/19 14:04:16 ope
  gpg:                using RSA key 84930FFB79B645F7DEA29AD0AC6DD3FFD1D046BD
  gpg: Good signature from "Phillip Lord <phillip.lord@newcastle.ac.uk>" [expired]
  gpg:                 aka "Phillip Lord <phillip.lord@russet.org.uk>" [expired]
  gpg: WARNING: This key has been revoked by its owner!
  gpg:          This could mean that the signature is forged.
  gpg: reason for revocation: No reason specified
  gpg: revocation comment: Revocation Certification produced at generation time
  gpg: Note: This key has expired!
  Primary key fingerprint: 8493 0FFB 79B6 45F7 DEA2  9AD0 AC6D D3FF D1D0 46BD

Now, is this file safe to install?

Alessandro Bertulli
  • 195
  • 10
  • file was signed before revocation? – Muihlinn Aug 12 '20 at 13:10
  • @Muihlinn I don't know, that's why I am asking. I suppose that, if you're right, there would be no problem – Alessandro Bertulli Aug 12 '20 at 14:00
  • As rule of thumb if it has been revoked it's unsafe. To be in the safe side you should ask the signer to replace the files signed with his current key. On the other hand, looks like that key expired on february this year, so it's supposed to have been valid at signing time. It's up to you to decide. – Muihlinn Aug 12 '20 at 15:18

1 Answers1

0

No, the key has been revoked. It does say that the signature matched what was expected, but if the key was stolen then the signature could be forged. The Emacs community really should get together to verify the binaries and then resign them.

Update:

I happened to notice that Windows binaries of Emacs 27 have been posted to https://alpha.gnu.org/gnu/emacs/pretest/windows/emacs-27/. This release is newer than the one you've got, and it's signed with a different key. Perhaps if you tried it you'll get better results.

db48x
  • 15,741
  • 1
  • 19
  • 23
  • Thank you, it seems version 27.1 worked. Now the signature is valid, though it says "gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner.". I guess it is because no one has signed that signature yet, right? – Alessandro Bertulli Aug 13 '20 at 17:18