Don't run gpg when loading package.el

* lisp/emacs-lisp/package.el (package-check-signature): Don't run
gpg on startup, but just default to `allow-unsigned'.
(package-check-signature): New function to check whether a OpenPGP
configuration is found when `allow-unsigned'.
(package--check-signature-content, package--check-signature)
(package--download-one-archive, package-refresh-contents)
(package-install-from-archive): Use function instead of variable
throughout.
* doc/emacs/package.texi (Package Installation): Document this.

1 files changed, 5 insertions, 3 deletions

diff --git a/doc/emacs/package.texi b/doc/emacs/package.texi
index 26e64243301..4b33f250c49 100644
--- a/doc/emacs/package.texi
+++ b/doc/emacs/package.texi
@@ -214,9 +214,11 @@ in the @file{etc/package-keyring.gpg}.  Emacs uses it automatically.
 @vindex package-unsigned-archives
   If the user option @code{package-check-signature} is non-@code{nil},
 Emacs attempts to verify signatures when you install packages.  If the
-option has the value @code{allow-unsigned}, you can still install a
-package that is not signed.  If you use some archives that do not sign
-their packages, you can add them to the list @code{package-unsigned-archives}.
+option has the value @code{allow-unsigned}, and a usable OpenPGP
+configuration is found, signed packages will be checked, but you can
+still install a package that is not signed.  If you use some archives
+that do not sign their packages, you can add them to the list
+@code{package-unsigned-archives}.
 
   For more information on cryptographic keys and signing,
 @pxref{Top,, GnuPG, gnupg, The GNU Privacy Guard Manual}.