32

My init.el uses this to initialize packages:

(package-initialize)
(add-to-list 'package-archives '("gnu" . "http://elpa.gnu.org/packages/"))
(add-to-list 'package-archives '("melpa" . "http://melpa.milkbox.net/packages/"))
(add-to-list 'package-archives '("melpa-stable" . "http://melpa-stable.milkbox.net/packages/"))

When I do M-x package-refresh-contents I get the following error: Failed to download `gnu' archive.

M-x toggle-debug-on-error gives me this stacktrace:

Debugger entered--Lisp error: (error "Failed to verify signature archive-contents.sig: (\"No public key for 474F05837FBDEF9B created at 2014-09-29T07:20:03-0700 using DSA\")")
  signal(error ("Failed to verify signature archive-contents.sig: (\"No public key for 474F05837FBDEF9B created at 2014-09-29T07:20:03-0700 using DSA\")"))
  error("Failed to verify signature %s: %S" "archive-contents.sig" ("No public key for 474F05837FBDEF9B created at 2014-09-29T07:20:03-0700 using DSA"))
  package--check-signature("http://elpa.gnu.org/packages/" "archive-contents")
  package--download-one-archive(("gnu" . "http://elpa.gnu.org/packages/") "archive-contents")

Is this a problem with my configuration, and how would I fix it?

yayitswei
  • 4,587
  • 5
  • 27
  • 34
  • [Same question on Emacs StackExchange](http://emacs.stackexchange.com/questions/233/how-to-proceed-on-package-el-signature-check-failure) has more information. – DomQ Dec 17 '16 at 12:59

5 Answers5

25

Looks like a bug in your version of Emacs. You can probably circumvent it by setting package-check-signature to nil.

Stefan
  • 27,908
  • 4
  • 53
  • 82
  • I'm on Version 24.3.50 (9.0). Would upgrading Emacs help? Is there a newer downloadable build for Mac OS X? – yayitswei Sep 30 '14 at 02:37
  • 2
    24.3.50 means "some snapshot of the code during the development of 24.4". We moved on to 24.3.90 around april, so your snapshot is ancient by now (a snapshot older than a month is already "old") and deserves to be retired. – Stefan Sep 30 '14 at 03:21
  • 1
    On 24.3.93 and it works great now, thank you! No more scary red "UNSIGNED" tags in the package list. – yayitswei Sep 30 '14 at 21:44
  • 2
    Here same problem with emacs-24.4 in Fedora 21 – alvaropg Feb 02 '15 at 09:24
  • had the same issue and fixed it by upgrading emacs - used emacs 24.3 before, upgraded to https://github.com/railwaycat/emacs-mac-port (emacs 24.5.1 for now) and the issue is gone – xhh Apr 02 '15 at 01:11
  • 1
    [this is a problem with elpa](https://lists.gnu.org/archive/html/bug-gnu-emacs/2014-12/msg00781.html), not with emacs – sds Oct 12 '15 at 13:59
24

This is not an error caused by misconfiguration but is due to the change of the file package-keyring.gpg from Emacs 26.3. As stated from the release note:

New GPG key for GNU ELPA package signature checking.

I believe the newer packages from GNU ELPA repository are signed for this new keyring to check.

The simple way to fix it is to upgrade to Emacs 26.3.

But if you were like me, who don't bother to upgrade, you can download the package-keyring.gpg file from here and put it in the etc/ directory under your Emacs installation location. In my case, it is /usr/local/share/emacs/26.1/etc/package-keyring.gpg. It might be different locations for different installation methods (apt, yum, etc.) on various platforms (macOS, Windows, etc.).

Alternatively, you can try to install the package gnu-elpa-keyring-update to automatically update the keyring in the future.

Lei Zhao
  • 986
  • 10
  • 11
  • Do you by any chance know a solution that works without root privileges? – kdb Jan 31 '20 at 14:29
  • Of course, you can install [gnu-epla-keyring-update](http://elpa.gnu.org/packages/gnu-elpa-keyring-update.html) or follow the instructions from the README of that package. But I believe that the effective directory is on `~/.emacs.d/elpa/gnupg`. – Lei Zhao Feb 03 '20 at 09:49
  • I am on Emacs 26.3 and I still get this error. – Draif Kroneg Jun 24 '21 at 19:03
17

For anyone else that doesn't have the signature problem, try to initialise package

M-x package-initialize

H.Rabiee
  • 4,747
  • 3
  • 23
  • 35
  • 1
    this was the only solution to my problem; _not_ installing `gnutls`, `gnupg`, changing `https` to `http`, or adding a `/` after `packages` – xdavidliu Aug 31 '19 at 16:04
  • This helped. Does anyone one know what causes the state that is fixed by initializing packages? – charliesneath Mar 04 '21 at 14:09
13

My issue was that I was missing gpg (gnupg).

On OSX I solved this by using brew install gpg.

William Denman
  • 3,046
  • 32
  • 34
Søren Mathiasen
  • 794
  • 5
  • 6
  • The code should work just fine without `gpg` (it will just skip checking the signatures), so this is still a problem that needs to be solved. If you can reproduce it, please `M-x report-emacs-bug` providing as many details as you can. – Stefan Feb 03 '15 at 17:42
  • 11
    Bug is #19409 (https://lists.gnu.org/archive/html/bug-gnu-emacs/2014-12/msg00781.html); if I understand correctly ELPA has been broken since September, 2014 (at least) because some joker signed a package with a key that they didn't publish... And nobody seems to care. – DomQ Feb 07 '15 at 13:01
0

I installed emacs on Arch Linux, opened it, ran package-refresh-contents and got this issue. After a while, I realized I had no init file. If this is your case, create your init file with emacs ~/.emacs.d/init.el and then add the following content:

(package-initialize)
(add-to-list 'package-archives '("gnu" . "http://elpa.gnu.org/packages/"))
(add-to-list 'package-archives '("melpa" . "http://melpa.milkbox.net/packages/"))

Save it with C-x C-s and run package-refresh-contents again. This time it will work.

e18r
  • 7,578
  • 4
  • 45
  • 40