On Thu, Sep 06, 2012 at 07:41:22AM -0400, Rocky Bernstein wrote: > [FAIL report because of overly-paranoid signature checking?] > > http://www.cpantesters.org/cpan/report/a2bf7306-f1d1-11e1-93e0-c591eff0cc48
When I run cpansign -v on your dist, I get an error, but it looks like it's because the key server is down, not that there's something wrong with the signature: david@pigsty:~/cpantesting/Devel-Trepan-0.35$ ../perl-5.16.0/bin/cpansign -v Executing gpg --verify --batch --no-tty --keyserver=hkp://pool.sks-keyservers.net:11371 --keyserver-options=auto-key-retrieve SIGNATURE gpg: Signature made Tue Aug 28 03:16:28 2012 BST using DSA key ID 8275EC21 gpg: requesting key 8275EC21 from hkp server pool.sks-keyservers.net gpgkeys: HTTP fetch error 7: couldn't connect: eof gpg: no valid OpenPGP data found. gpg: Total number processed: 0 gpg: Can't check signature: public key not found ==> BAD/TAMPERED signature detected! <== So in this case I think cpansign is correct to complain, and that it's legitimate for the tester to say it didn't pass - although maybe NA would be a more accurate result than FAIL. If you don't want to rely on dodgy third-party infrastructure, get rid of the SIGNATURE file! CCed cpan-testers-discuss because maybe the CPANPLUS test reporting stuff needs fixing; CCed Florian Ragwitz because maybe cpansign needs to use a different server. -- David Cantrell | http://www.cantrell.org.uk/david Computer Science is about lofty design goals and careful algorithmic optimisation. Sysadminning is about cleaning up the resulting mess.
