Adam Kennedy posed me a stumper on #toolchain tonight. In short, having a test which checks your signature doesn't appear to be an actual deterrent to tampering. The man-in-the-middle can just delete the test, or just the SIGNATURE file since it's not required. So why ship a signature test?
The only thing I can think of is to ensure the author that the signature they're about to ship is valid, but that's not something that needs to be shipped. It appears that a combination of a CHECKSUMS check against another CPAN mirror and a SIGNATURE check by a utility external to the code being checked is effective, and that's what the CPAN shell does. The CHECKSUMS check makes sure the distribution hasn't been tampered with. Checking against a CPAN mirror other than the one you downloaded the distribution from checks that the mirror has not been compromised. Checking the SIGNATURE ensures that the module is from who you think its from. <adam> Schwern: What's the deal with adding 00-signature.t to Test::More? What's it supposed to achieve? <Schwern> Checks that the files patch the author's signature <Schwern> s/patch/match/ <adam> To what end? <adam> Is it an anti-tamper thing? <Schwern> Well, if it fails then your files are not what the author uploaded <Schwern> Yep <Schwern> It's semi-redundant with the CPAN shells as they should already be making that check <adam> So... if I was tampering with your module, wouldn't deleting the test script be the first thing I did? <Schwern> You can do that, but there are other things which do a signature check <adam> So basically, 00-signature.t as a concept is 1) Exploitable 2) Redundant 3) A source of spurious failures <Schwern> How is it exploitable? <adam> I just delete the test script <Schwern> That's not exactly an exploit <adam> Why not? <Schwern> This is getting into semantics, but an exploit implies that you do something with it, not just diable it. <Schwern> disable <adam> Granted, it's a trivial exploit <Schwern> However, I see your point <adam> They also tend to be a source of test failures <adam> Because the crypto chain is horrid <adam> Can I recommend removing all of them? <adam> Just let the CPAN client take care of it? <adam> For example, looks like Test::More won't install on Windows if you have gpg installed? <adam> (And Module::Signature) -- There will be snacks.
