Adam Kennedy posed me a stumper on #toolchain tonight.  In short, having a
test which checks your signature doesn't appear to be an actual deterrent to
tampering.  The man-in-the-middle can just delete the test, or just the
SIGNATURE file since it's not required.  So why ship a signature test?

The only thing I can think of is to ensure the author that the signature
they're about to ship is valid, but that's not something that needs to be 

It appears that a combination of a CHECKSUMS check against another CPAN mirror
and a SIGNATURE check by a utility external to the code being checked is
effective, and that's what the CPAN shell does.  The CHECKSUMS check makes
sure the distribution hasn't been tampered with.  Checking against a CPAN
mirror other than the one you downloaded the distribution from checks that the
mirror has not been compromised.  Checking the SIGNATURE ensures that the
module is from who you think its from.

 <adam> Schwern: What's the deal with adding 00-signature.t to Test::More?
What's it supposed to achieve?
 <Schwern> Checks that the files patch the author's signature
 <Schwern> s/patch/match/
 <adam> To what end?
 <adam> Is it an anti-tamper thing?
 <Schwern> Well, if it fails then your files are not what the author uploaded
 <Schwern> Yep
 <Schwern> It's semi-redundant with the CPAN shells as they should already be
making that check
 <adam> So... if I was tampering with your module, wouldn't deleting the test
script be the first thing I did?
 <Schwern> You can do that, but there are other things which do a signature 
 <adam> So basically, 00-signature.t as a concept is 1) Exploitable 2)
Redundant 3) A source of spurious failures
 <Schwern> How is it exploitable?
 <adam> I just delete the test script
 <Schwern> That's not exactly an exploit
 <adam> Why not?
 <Schwern> This is getting into semantics, but an exploit implies that you do
something with it, not just diable it.
 <Schwern> disable
 <adam> Granted, it's a trivial exploit
 <Schwern> However, I see your point
 <adam> They also tend to be a source of test failures
 <adam> Because the crypto chain is horrid
 <adam> Can I recommend removing all of them?
 <adam> Just let the CPAN client take care of it?
 <adam> For example, looks like Test::More won't install on Windows if you
have gpg installed?
 <adam> (And Module::Signature)

There will be snacks.

Reply via email to