> It sounds > like it means that the signature will be checked only if it is > present. If the --verify option is used and the signature is missing, > will the package be downloaded and installed nonetheless? Yes, and it works the same as the traditional CPAN client with signature support enabled. Most distributions are not signed because it's an optional feature. All distributions are checksummed by PAUSE.
> How does one obtain the public key that is used to check > these signatures? Is it installed along with cpanm? cpanminus just delegates to Module::Signature::_verify. This fetches the public key via [HKP](http://enwp.org/OpenPGP_HTTP_Keyserver_Protocol).
signature.asc
Description: PGP signature
