martin has asked for the wisdom of the Perl Monks concerning the following question:

Dear fellow monks,

I am using Module::Signature and have configured my cpan shell to check signatures (check_sigs=1). This, however, will not just make cpan check module's signatures when unpacking packages, but also make it use my gpg command to check PAUSE checksums. This should perhaps be different configuration options, but I probably would turn both on anyways.

Now Gnu Privacy Guard needs a signer's public key to verify a signed file like a PAUSE generated checksum. This signing key has recently been replaced. I have the old one (328DA867450F89EC) in my keyring but now need the new one (77576125A905F1BA). In https://www.cpan.org/modules/04pause.html , only the old one is present. On keyservers like pgp.mit.edu and keyserver.ubuntu.com the key is not to be found.

Where else should I look? Without the key, I have to use cpan with signature checks completely turned off or it will not install anything. I don't like that. The idea of signatures was to make the toolchain safer against manipulated mirrors. The idea of signed checksums was to protect even packages not signed by their authors. I agree to all of this. Some new way of distributing PAUSE keys may have escaped me, though. Can you fill me in?

Greetings,
-Martin

  • Comment on Where do I find the current PAUSE batch signing key?

Replies are listed 'Best First'.
Re: Where do I find the current PAUSE batch signing key?
by Perlbotics (Archbishop) on Jul 08, 2023 at 09:52 UTC

    Hi Martin, gpg2 --keyserver pgpkeys.eu --search 77576125A905F1BA returns 

    gpg: data source: http://pgpkeys.eu:11371
(1)     PAUSE Batch Signing Key 2024 <pause@pause.perl.org>
        PAUSE Batch Signing Key 2023 <pause@pause.perl.org>
        PAUSE Batch Signing Key 2003 <pause@pause.perl.org>
        PAUSE Batch Signing Key 2005 <pause@pause.perl.org>
        PAUSE Batch Signing Key 2007 <pause@pause.perl.org>
        PAUSE Batch Signing Key 2009 <pause@pause.perl.org>
        PAUSE Batch Signing Key 2017 <pause@pause.perl.org>
        PAUSE Batch Signing Key 2019 <pause@pause.perl.org>
        PAUSE Batch Signing Key 2021 <pause@pause.perl.org>
        PAUSE Batch Signing Key 2022 <pause@pause.perl.org>
        PAUSE Batch Signing Key 2011 <pause@pause.perl.org>
        PAUSE Batch Signing Key 2015 <pause@pause.perl.org>
          1024 bit DSA key 328DA867450F89EC, created: 2003-02-03
Keys 1-1 of 1 for "77576125A905F1BA".  Enter number(s), N)ext, or Q)ui
+t >

    [download]
    Did you search for that one?

[reply]
[d/l]
[select]

      Thanks, Perlbotics, this key is indeed the missing one. That 04pause.html is not up to date seems to be an oversight. I'll have a look where it can be reported.

      -Martin

[reply]
[reply]
More signature problems (was: Where do I find the current PAUSE batch signing key?)
by martin (Friar) on Jul 14, 2024 at 20:35 UTC

    New PAUSE signing key, new problems.

    Again, checksum signatures seemed to have been the reason the CPAN module did not want to install modules. I saw an error message suggesting I should remove a particular CHECKSUM file from the local CPAN cache. This did not work however, as the newly retrieved one had the same problem. Reverse engineering revealed that gpg is called by the CPAN module with options to have it automatically download keys from keyserver.ubuntu.com. Only, apparently the key could not be downloaded. Ah yes, there is a PAUSE Batch Signing Key 2025. I found it on pgpkeys.eu, as well as on the PAUSE about page, and imported it manually to my keyring. Now the cpan command is working again.

    In case you want to check: 

    PAUSE Batch Signing Key 2025 <pause@pause.perl.org>
Primary key fingerprint: 2E66 557A B97C 19C7 91AF  8E20 328D A867 450F 89EC
     Subkey fingerprint: 1660 C9E7 C4AC 9195 3F49  8072 7C53 022A 40AD 6B1B

    I am not quite sure what the actual problem was, only that it was fixed by (re-)importing a PAUSE key. I am running gpg (GnuPG) 2.2.43 on a Debian testing (trixie) machine. I may be in a minority using the cpan command rather than cpanplus, cpanm or whatnot, and having check_sigs configured to true. I do know I am an advocate for code signing and would like more authors to use Module::Signature though.

    -Martin

[reply]

Back to Seekers of Perl Wisdom