I've been signing my modules with subkeys, which is a problem for gpg and some keyservers: keys cannot be extracted from the keyserver by using the subkey id. From http://keyserver.kjsl.com/~jharris/keyserver.html
> Keys with multiple subkeys, a revoked subkey..., duplicate keyids, > direct key signatures..., revocation signatures on userids..., or photo > IDs are only handled properly by certain keyservers.... Version 4 RSA > keys and/or uncommon key types (RFC 2440 and later) may also be stored > under the wrong keyid and/or report the wrong fingerprint (ala RFC 1991) > on keyservers running older software. When this happens, search for the > key by words in the userid, if applicable, or use a server mentioned > above instead. This is really frustrating. I'm not sure how to solve this, aside from giving up on signing my CPAN uploads altogether. That signature failures on automated CPAN Tester Reports show up as test failures only reinforces this view. I'm curious as to other authors' views on this. What good are module signatures, anyway? Module::Signature has no form of authentication to verify that the key which signed a package belongs to me. The problem with using public keyservers is that anybody can upload a key claiming to be from anyone else. But we have an existing authentication infrastructure in PAUSE. Maybe it's time to incorporate specialized key distribution into CPAN, and update signature-checking code to make use of this. Perhaps a special function could be added to PAUSE where authors upload their keys and revocation certificates. These keys are mirrored with CPAN. Software which checks signatures could download the latest keys from an authors directory and check that a signed module downloaded from that author is signed by one of those keys, and no others. Even better: when an author uploads keys, they are automatically signed by the upload server as a way to limit tampering of keys on mirrors downstream. Comments? Rob