* James E Keenan <jkeen_via_google at yahoo.com> [2006/05/07 20:31]: > When I manually downloaded Pod-Readme-0.08 (which still included a > SIGNATURE file), I got this error message: > > [Downloads] 523 $ cd Pod-Readme-0.08 > [Pod-Readme-0.08] 524 $ cpansign -v > Executing gpg --verify --batch --no-tty > --keyserver=hkp://pgp.mit.edu:11371 > --keyserver-options=auto-key-retrieve SIGNATURE > gpg: Signature made Mon May 1 12:34:59 2006 EDT using RSA key ID BB72D9C5 > gpg: requesting key BB72D9C5 from hkp server pgp.mit.edu > gpgkeys: key C5A2D18FBB72D9C5 not found on keyserver > gpg: no valid OpenPGP data found. > gpg: Total number processed: 0 > gpg: Can't check signature: public key not found > ==> BAD/TAMPERED signature detected! <== > > Which is a signing problem ... but not the same signing problem I just > reported in the case of Module-Build and PathTools.
Robert said he's signing his modules with a subkey, and the MIT key
sever (IIRC) does not support subkeys. If you use a different
keyserver, you'll find the key:
$ grep ^keyserver ~/.gnupg/gpg.conf
keyserver hkp://subkeys.pgp.net
$ gpg --search 0xBB72D9C5
Keys 1-2 of 2 for "0xBB72D9C5"
(1) Robert Rothenberg (CPAN) <[EMAIL PROTECTED]>
1024 bit DSA key 5DB01E18, created 2005-11-09
(2) Robert Rothenberg <[EMAIL PROTECTED]>
1024 bit DSA key 5DB01E18, created 2005-11-09
The main key ID is 5DB01E18. If you grabbed this key from the MIT
keyserver, you could probably verify the signature on Pod::Readme
0.08, assuming the MIT keyserver passed through the subkeys
unmolested.
(darren)
--
If you cannot think of three ways of abusing a tool, you do not
understand how to use it.
-- Gerald Weinberg
pgpYT3zKJ3785.pgp
Description: PGP signature
