2017-09-28

Something to try out: Quicklisp with OpenPGP and SHA verification

I've got a test version of Quicklisp available. It uses pure Common Lisp code to verify file SHA digests and OpenPGP signatures, from bootstrap to library loading.

To try it out, fetch the following file:

  https://www.quicklisp.org/tmp/quicklisp.lisp



Load it into a Lisp implementation with (load "quicklisp.lisp") and follow the prompts. It's best to start with a Lisp that doesn't have Quicklisp already loaded automatically from the init file.

The PGP public key for Quicklisp releases is embedded directly in quicklisp.lisp, but you can also fetch it from another source and use :public-key-file "/path/to/separate/key" as an argument to quicklisp-quickstart:install to use a specific key file.

If you do try it, move your existing, working Quicklisp install out of the way first, or use the :path option to install to a test location. Otherwise, you could clobber a working Quicklisp setup.

This verification code slows things down a bit because it does a lot of arithmetic. The slowdown is most dramatic in implementations like ABCL and CLISP.

If everything works as it should, you won't notice anything very different from the normal Quicklisp install, except some slowdown during verification and some output indicating what checks were attempted and passed.

If you run into problems where something doesn't work as you expect, please let me know at zach@quicklisp.org.

Thanks!

4 comments:

  1. Thanks Zach. Any advice if we already have been using quicklisp and _do_ have it installed?

    ReplyDelete
    Replies
    1. You can move the ~/quicklisp/ directory out of the way, and move it back in place when you're done testing.

      Delete
  2. Where is the signature/fingerprint of that file?

    ReplyDelete