Re: Module::Signature issues
Even so, there are problems. How many users know to change their keyservers? (I wasn't aware of a need to do this until I ran across this problem.) When it cannot find the key, the software James is using (CPAN or CPANPLUS) reports it as gpg: Total number processed: 0 gpg: Can't check signature: public key not found =3D=3D BAD/TAMPERED signature detected! =3D=3D rather than saying unable to check signature, it says BAD/TAMPERED signature detected. That's wrong. CPANPLUS reports this as a failure to CPAN Testers, which is annoying. (I believe this will be fixed in a later version, though.) Audrey mentioned (on CPAN Ratings) some bugs with regards to end-of-line issues were fixed in the latest version. I'm sure there are some workarounds to use a different keyserver by default to handle the subkey problem. So I might (re)start signing modules when these issues are fixed. But I think in the long term, the trust issue should be taken care of. I've not heard any feedback on this yet. Darren Chamberlain wrote: Robert said he's signing his modules with a subkey, and the MIT key sever (IIRC) does not support subkeys. If you use a different keyserver, you'll find the key: $ grep ^keyserver ~/.gnupg/gpg.conf keyserver hkp://subkeys.pgp.net $ gpg --search 0xBB72D9C5 Keys 1-2 of 2 for 0xBB72D9C5 (1) Robert Rothenberg (CPAN) rrwo[at]cpan.org 1024 bit DSA key 5DB01E18, created 2005-11-09 (2) Robert Rothenberg robrwo[at]gmail.com 1024 bit DSA key 5DB01E18, created 2005-11-09 The main key ID is 5DB01E18. If you grabbed this key from the MIT keyserver, you could probably verify the signature on Pod::Readme 0.08, assuming the MIT keyserver passed through the subkeys unmolested.
Re: Module::Signature issues
* James E Keenan jkeen_via_google at yahoo.com [2006/05/07 20:31]: When I manually downloaded Pod-Readme-0.08 (which still included a SIGNATURE file), I got this error message: [Downloads] 523 $ cd Pod-Readme-0.08 [Pod-Readme-0.08] 524 $ cpansign -v Executing gpg --verify --batch --no-tty --keyserver=hkp://pgp.mit.edu:11371 --keyserver-options=auto-key-retrieve SIGNATURE gpg: Signature made Mon May 1 12:34:59 2006 EDT using RSA key ID BB72D9C5 gpg: requesting key BB72D9C5 from hkp server pgp.mit.edu gpgkeys: key C5A2D18FBB72D9C5 not found on keyserver gpg: no valid OpenPGP data found. gpg: Total number processed: 0 gpg: Can't check signature: public key not found == BAD/TAMPERED signature detected! == Which is a signing problem ... but not the same signing problem I just reported in the case of Module-Build and PathTools. Robert said he's signing his modules with a subkey, and the MIT key sever (IIRC) does not support subkeys. If you use a different keyserver, you'll find the key: $ grep ^keyserver ~/.gnupg/gpg.conf keyserver hkp://subkeys.pgp.net $ gpg --search 0xBB72D9C5 Keys 1-2 of 2 for 0xBB72D9C5 (1) Robert Rothenberg (CPAN) [EMAIL PROTECTED] 1024 bit DSA key 5DB01E18, created 2005-11-09 (2) Robert Rothenberg [EMAIL PROTECTED] 1024 bit DSA key 5DB01E18, created 2005-11-09 The main key ID is 5DB01E18. If you grabbed this key from the MIT keyserver, you could probably verify the signature on Pod::Readme 0.08, assuming the MIT keyserver passed through the subkeys unmolested. (darren) -- If you cannot think of three ways of abusing a tool, you do not understand how to use it. -- Gerald Weinberg pgpYT3zKJ3785.pgp Description: PGP signature
Re: Module::Signature issues
I'm reminder of one other issue: there are Windows vs Unix end-of-line issues that it sometimes chokes on. I've just re-released Pod::Readme without a signature, because the signature problems are choking up Module::Build users. On 05/07/2006 05:10 AM James E Keenan wrote: I don't claim to understand the security issues well. I just know that on my laptop I'm never successful in installing Module::Build, PathTools, etc., with the cpan shell.
Re: Module::Signature issues
On May 7, 2006, at 6:49 AM, Robert Rothenberg wrote: I'm reminder of one other issue: there are Windows vs Unix end-of-line issues that it sometimes chokes on. I've just re-released Pod::Readme without a signature, because the signature problems are choking up Module::Build users. Module::Build doesn't do anything with signatures - all it knows how to do is generate a signature file when building a distribution. I'd suspect that the failures have more to do with the version of CPAN or CPANPLUS users have. Or if it's M::B in some way I don't understand, do you have any error output? -Ken
Re: Module::Signature issues
On 05/07/2006 02:34 PM Ken Williams wrote: I've just re-released Pod::Readme without a signature, because the signature problems are choking up Module::Build users. Module::Build doesn't do anything with signatures - all it knows how to do is generate a signature file when building a distribution. I'd suspect that the failures have more to do with the version of CPAN or CPANPLUS users have. Or if it's M::B in some way I don't understand, do you have any error output? It's CPAN/CPANPLUS, but M::B users are installing P::R
Re: Module::Signature issues
On May 7, 2006, at 8:49 AM, Robert Rothenberg wrote: On 05/07/2006 02:34 PM Ken Williams wrote: I've just re-released Pod::Readme without a signature, because the signature problems are choking up Module::Build users. Module::Build doesn't do anything with signatures - all it knows how to do is generate a signature file when building a distribution. I'd suspect that the failures have more to do with the version of CPAN or CPANPLUS users have. Or if it's M::B in some way I don't understand, do you have any error output? It's CPAN/CPANPLUS, but M::B users are installing P::R Ah yes - now I remember. =) -Ken
Re: Module::Signature issues
Ken Williams wrote: On May 7, 2006, at 6:49 AM, Robert Rothenberg wrote: I'm reminder of one other issue: there are Windows vs Unix end-of-line issues that it sometimes chokes on. I've just re-released Pod::Readme without a signature, because the signature problems are choking up Module::Build users. Module::Build doesn't do anything with signatures - all it knows how to do is generate a signature file when building a distribution. I'd suspect that the failures have more to do with the version of CPAN or CPANPLUS users have. Or if it's M::B in some way I don't understand, do you have any error output? -Ken Could the problem be in contacting the keyserver? Just now I manually downloaded and unpacked Module-Build-0.28. I followed the instructions in the SIGNATURE file (which, BTW, appears twice in the MANIFEST -- though apparently without causing error) and got this error message: [Downloads] 508 $ cd Module-Build-0.28 [Module-Build-0.28] 510 $ cpansign -v Executing gpg --verify --batch --no-tty --keyserver=hkp://pgp.mit.edu:11371 --keyserver-options=auto-key-retrieve SIGNATURE gpg: Signature made Fri Apr 28 00:14:21 2006 EDT using DSA key ID B7EF9476 gpg: requesting key B7EF9476 from hkp server pgp.mit.edu gpg: keyserver timed out gpg: Can't check signature: public key not found == BAD/TAMPERED signature detected! == I got the same results with PathTools: [PathTools-3.18] 518 $ cpansign -v Executing gpg --verify --batch --no-tty --keyserver=hkp://pgp.mit.edu:11371 --keyserver-options=auto-key-retrieve SIGNATURE gpg: Signature made Thu Apr 27 23:02:23 2006 EDT using DSA key ID B7EF9476 gpg: requesting key B7EF9476 from hkp server pgp.mit.edu gpg: keyserver timed out gpg: Can't check signature: public key not found == BAD/TAMPERED signature detected! == Since I wasn't attempting to install, these error messages were independent of the actual operation of CPAN.pm or the cpan shell. But do they bear upon the problem I previously reported elsewhere and that RR's users seem to be experiencing? Thanks. jimk
Re: Module::Signature issues
Robert Rothenberg (CPAN) wrote: This is really frustrating. I'm not sure how to solve this, aside from giving up on signing my CPAN uploads altogether. That signature failures on automated CPAN Tester Reports show up as test failures only reinforces this view. I'm curious as to other authors' views on this. What good are module signatures, anyway? Good question. I've posted in a number of places that I repeatedly experience failures in automated installation of modules via cpan shell/CPAN.pm when the modules are signed -- even though those same modules install perfectly well when I go through the manual process. The threads in which I've posted this issue all peter out inconclusively (unlike most threads based on my questions, which reach clear conclusions). I don't claim to understand the security issues well. I just know that on my laptop I'm never successful in installing Module::Build, PathTools, etc., with the cpan shell. jimk
Re: Module::Signature issues
Robert Rothenberg (CPAN) wrote: This is really frustrating. I'm not sure how to solve this, aside from giving up on signing my CPAN uploads altogether. That signature failures on automated CPAN Tester Reports show up as test failures only reinforces this view. I'm curious as to other authors' views on this. What good are module signatures, anyway? Good question. I've posted in a number of places that I repeatedly experience failures in automated installation of modules via cpan shell/CPAN.pm when the modules are signed -- even though those same modules install perfectly well when I go through the manual process. The threads in which I've posted this issue all peter out inconclusively (unlike most threads based on my questions, which reach clear conclusions). I don't claim to understand the security issues well. I just know that on my laptop I'm never successful in installing Module::Build, PathTools, etc., with the cpan shell. jimk