Don't run gpg when loading package.el

* lisp/emacs-lisp/package.el (package-check-signature): Don't run
gpg on startup, but just default to `allow-unsigned'.
(package-check-signature): New function to check whether a OpenPGP
configuration is found when `allow-unsigned'.
(package--check-signature-content, package--check-signature)
(package--download-one-archive, package-refresh-contents)
(package-install-from-archive): Use function instead of variable
throughout.
* doc/emacs/package.texi (Package Installation): Document this.

diff --git a/doc/emacs/package.texi b/doc/emacs/package.texi
index 26e64243301c9bfbd5e8c0f6532a43a3ecbd05a3..4b33f250c49d15cce844af8bf76824648ed20ffd 100644 (file)
--- a/doc/emacs/package.texi
+++ b/doc/emacs/package.texi
@@ -214,9 +214,11 @@ in the @file{etc/package-keyring.gpg}.  Emacs uses it automatically.
 @vindex package-unsigned-archives
   If the user option @code{package-check-signature} is non-@code{nil},
 Emacs attempts to verify signatures when you install packages.  If the
-option has the value @code{allow-unsigned}, you can still install a
-package that is not signed.  If you use some archives that do not sign
-their packages, you can add them to the list @code{package-unsigned-archives}.
+option has the value @code{allow-unsigned}, and a usable OpenPGP
+configuration is found, signed packages will be checked, but you can
+still install a package that is not signed.  If you use some archives
+that do not sign their packages, you can add them to the list
+@code{package-unsigned-archives}.
 
   For more information on cryptographic keys and signing,
 @pxref{Top,, GnuPG, gnupg, The GNU Privacy Guard Manual}.

diff --git a/etc/NEWS b/etc/NEWS
index f47cf071bb509fd8eeb511af695dc7724dee831e..44a692138998007990fa28517f444e7536e90c2e 100644 (file)
--- a/etc/NEWS
+++ b/etc/NEWS
@@ -859,6 +859,12 @@ Now 't' only checks that at least one signature is valid and the new 'all'
 value needs to be used if you want to enforce that all signatures
 are valid.  This only affects packages with multiple signatures.
 
++++
+*** The meaning of `allow-unsigned' in `package-check-signature' has
+changed slightly: If a usable OpenPGP configuration can't be found
+(for instance, if gpg isn't installed), it now has the same meaning as
+nil.
+
 *** New function 'package-get-version' lets packages query their own version.
 Example use in auctex.el: '(defconst auctex-version (package-get-version))'
 

diff --git a/lisp/emacs-lisp/package.el b/lisp/emacs-lisp/package.el
index 53fa15d419937cd928a7def29b91ebe9c43cc3e7..5e9caf58a64be1f00156054d10fe49d564056fcc 100644 (file)
--- a/lisp/emacs-lisp/package.el
+++ b/lisp/emacs-lisp/package.el
@@ -331,15 +331,13 @@ default directory."
   :risky t
   :version "26.1")
 
-(defcustom package-check-signature
-  (if (and (require 'epg-config)
-           (epg-find-configuration 'OpenPGP))
-      'allow-unsigned)
+(defcustom package-check-signature 'allow-unsigned
   "Non-nil means to check package signatures when installing.
 More specifically the value can be:
 - nil: package signatures are ignored.
-- `allow-unsigned': install a package even if it is unsigned,
-  but if it is signed and we have the key for it, verify the signature.
+- `allow-unsigned': install a package even if it is unsigned, but
+  if it is signed, we have the key for it, and OpenGPG is
+  installed, verify the signature.
 - t: accept a package only if it comes with at least one verified signature.
 - `all': same as t, except when the package has several signatures,
   in which case we verify all the signatures.
@@ -353,6 +351,18 @@ contents of the archive."
   :risky t
   :version "27.1")
 
+(defun package-check-signature ()
+  "Check whether we have a usable OpenPGP configuration.
+If true, and `package-check-signature' is `allow-unsigned',
+return `allow-unsigned', otherwise return the value of
+`package-check-signature'."
+  (if (eq package-check-signature 'allow-unsigned)
+      (progn
+        (require 'epg-config)
+        (and (epg-find-configuration 'OpenPGP)
+             'allow-unsigned))
+    package-check-signature))
+
 (defcustom package-unsigned-archives nil
   "List of archives where we do not check for package signatures."
   :type '(repeat (string :tag "Archive name"))
@@ -1279,15 +1289,15 @@ errors."
       (dolist (sig (epg-context-result-for context 'verify))
         (if (eq (epg-signature-status sig) 'good)
             (push sig good-signatures)
-          ;; If package-check-signature is allow-unsigned, don't
+          ;; If `package-check-signature' is allow-unsigned, don't
           ;; signal error when we can't verify signature because of
           ;; missing public key.  Other errors are still treated as
           ;; fatal (bug#17625).
-          (unless (and (eq package-check-signature 'allow-unsigned)
+          (unless (and (eq (package-check-signature) 'allow-unsigned)
                        (eq (epg-signature-status sig) 'no-pubkey))
             (setq had-fatal-error t))))
       (when (or (null good-signatures)
-                (and (eq package-check-signature 'all)
+                (and (eq (package-check-signature) 'all)
                      had-fatal-error))
         (package--display-verify-error context sig-file)
         (signal 'bad-signature (list sig-file)))
@@ -1318,7 +1328,7 @@ else, even if an error is signaled."
       :async async :noerror t
       ;; Connection error is assumed to mean "no sig-file".
       :error-form (let ((allow-unsigned
-                         (eq package-check-signature 'allow-unsigned)))
+                         (eq (package-check-signature) 'allow-unsigned)))
                     (when (and callback allow-unsigned)
                       (funcall callback nil))
                     (when unwind (funcall unwind))
@@ -1602,7 +1612,7 @@ similar to an entry in `package-alist'.  Save the cached copy to
            (local-file (expand-file-name file dir)))
       (when (listp (read content))
         (make-directory dir t)
-        (if (or (not package-check-signature)
+        (if (or (not (package-check-signature))
                 (member name package-unsigned-archives))
             ;; If we don't care about the signature, save the file and
             ;; we're done.
@@ -1654,7 +1664,7 @@ downloads in the background."
   (let ((default-keyring (expand-file-name "package-keyring.gpg"
                                            data-directory))
         (inhibit-message (or inhibit-message async)))
-    (when (and package-check-signature (file-exists-p default-keyring))
+    (when (and (package-check-signature) (file-exists-p default-keyring))
       (condition-case-unless-debug error
           (package-import-keyring default-keyring)
         (error (message "Cannot import default keyring: %S" (cdr error))))))
@@ -1901,7 +1911,7 @@ if all the in-between dependencies are also in PACKAGE-LIST."
          (file (concat (package-desc-full-name pkg-desc)
                        (package-desc-suffix pkg-desc))))
     (package--with-response-buffer location :file file
-      (if (or (not package-check-signature)
+      (if (or (not (package-check-signature))
               (member (package-desc-archive pkg-desc)
                       package-unsigned-archives))
           ;; If we don't care about the signature, unpack and we're