I've been signing my modules with subkeys, which is a problem for gpg and
some keyservers: keys cannot be extracted from the keyserver by using the
subkey id.  From http://keyserver.kjsl.com/~jharris/keyserver.html

> Keys with multiple subkeys, a revoked subkey..., duplicate keyids,
> direct key signatures..., revocation signatures on userids..., or photo
> IDs are only handled properly by certain keyservers.... Version 4 RSA
> keys and/or uncommon key types (RFC 2440 and later) may also be stored
> under the wrong keyid and/or report the wrong fingerprint (ala RFC 1991)
> on keyservers running older software. When this happens, search for the
> key by words in the userid, if applicable, or use a server mentioned 
> above instead.

This is really frustrating. I'm not sure how to solve this, aside from
giving up on signing my CPAN uploads altogether.

That signature failures on automated CPAN Tester Reports show up as test
failures only reinforces this view.

I'm curious as to other authors' views on this.

What good are module signatures, anyway? Module::Signature has no form of
authentication to verify that the key which signed a package belongs to me.
The problem with using public keyservers is that anybody can upload a key
claiming to be from anyone else.

But we have an existing authentication infrastructure in PAUSE.  Maybe it's
time to incorporate specialized key distribution into CPAN, and update
signature-checking code to make use of this.

Perhaps a special function could be added to PAUSE where authors upload
their keys and revocation certificates.  These keys are mirrored with CPAN.
 Software which checks signatures could download the latest keys from an
authors directory and check that a signed module downloaded from that author
is signed by one of those keys, and no others.

Even better: when an author uploads keys, they are automatically signed by
the upload server as a way to limit tampering of keys on mirrors downstream.

Comments?

Rob


Reply via email to