I just thought I'd add what I have found so far.

The GnuPG manpage describes homedir and an environmental var one can set:

--homedir directory
Set the name of the home directory to directory If this option is not 
+used it defaults to "~/.gnupg". It does not make sense to use this in
+ a options file. This also overrides the environment variable "GNUPGH
+OME".
[download]

I tried setting GNUPGHOME to C:/Users/somia/.gnupg (which already exists; something along the line created that dir) ...but as stated above, it is overridden when some Perl code (in Module::Signature?) calls gpg. So keeping signature-checking off as Danny and others say, is the smart move until someone fixes this strange behavior. ;-/

For my own build of perl-5.40.0 on Cygwin, upgrading CPAN from 2.36 to 2.37 worked fine:

$ cpanp i CPAN
Installing CPAN (2.37)
Running [/cygdrive/c/cygperl-5.40.0-d/bin/perl -MCPANPLUS::Internals::
+Utils::Autoflush C:/Users/Owner/AppData/Roaming/.cpanplus/5.40.0/buil
+d/GoTwSCMIxI/CPAN-2.37/Makefile.PL]...
Checking if your kit is complete...
Looks good
Generating a Unix-style Makefile
Writing Makefile for CPAN
Writing MYMETA.yml and MYMETA.json
Running [/usr/bin/make test]...
PERL_DL_NONLAZY=1 "/cygdrive/c/cygperl-5.40.0-d/bin/perl.exe" "-MExtUt
+ils::Command::MM" "-MTest::Harness" "-e" "undef *Test::Harness::Switc
+hes; test_harness(0, 'blib/lib', 'blib/arch')" t/*.t
t/00signature.t ............... skipped: External program 'gpg' not fo
+und
t/01loadme.t .................. ok
t/02nox.t ..................... ok
t/03pkgs.t .................... ok
t/04clean_load.t .............. ok
t/10version.t ................. ok
t/11mirroredby.t .............. ok
t/12cpan.t .................... ok
t/13tarzip.t .................. ok
t/14forkbomb.t ................ skipped: test only run when called wit
+h --doit
t/30shell.t ................... skipped: no Expect, maybe try env CPAN
+_RUN_SHELL_TEST_WITHOUT_EXPECT=1
t/31sessions.t ................ skipped: Yaml module [YAML] not instal
+led
t/32pushyhttps.t .............. skipped: running MinimumVersion test o
+nly run when AUTHOR_TEST set
t/41distribution.t ............ skipped: No yaml module installed
t/42distroprefs.t ............. skipped: YAML required
t/43distroprefspref.t ......... ok
t/44cpanmeta.t ................ ok
t/50pod.t ..................... skipped: Test::Pod 1.00 required for t
+esting POD
t/51pod.t ..................... ok
t/52podcover.t ................ skipped: Test::Pod::Coverage 0.18 requ
+ired for testing pod coverage
t/60credentials.t ............. ok
t/70_critic.t ................. skipped: Test::Perl::Critic only run w
+hen AUTHOR_TEST set
t/71_minimumversion.t ......... skipped: running MinimumVersion test o
+nly run when AUTHOR_TEST set
t/97-compile.t ................ ok
t/97-cpanpm_output_hook.t ..... ok
t/97-expand_filenames.t ....... ok
t/97-install_hack.t ........... ok
t/97-mock.t ................... ok
t/97-process_options.t ........ ok
t/97-process_setup_options.t .. ok
t/97-return_values.t .......... ok
# will run '/cygdrive/c/cygperl-5.40.0-d/bin/perl -Mblib blib/script/c
+pan -y 2>&1'
# will run '/cygdrive/c/cygperl-5.40.0-d/bin/perl -Mblib blib/script/c
+pan -h 2>&1'
t/97-run.t .................... ok
All tests successful.
Files=32, Tests=476, 30 wallclock secs ( 0.00 usr  0.00 sys +  7.07 cu
+sr  9.36 csys = 16.43 CPU)
Result: PASS
*** Install log written to:
  C:/Users/Owner/AppData/Roaming/.cpanplus/install-logs/CPAN-2.37-1727
+840241.log

Module 'CPAN' installed successfully
No errors installing all modules
[download]

The log begins with:

[MSG] [Wed Oct  2 13:36:37 2024] Trying to get 'http://www.cpan.org/au
+thors/id/A/AN/ANDK/CPAN-2.37.tar.gz'
[MSG] [Wed Oct  2 13:36:41 2024] Trying to get 'http://www.cpan.org/au
+thors/id/A/AN/ANDK/CHECKSUMS'
[MSG] [Wed Oct  2 13:36:42 2024] Checksum matches for 'CPAN-2.37.tar.g
+z'
[MSG] [Wed Oct  2 13:36:42 2024] Extracting 'CPAN-2.37.tar.gz'
[download]

followed by a list of all of the files that were extracted by the tarball - and then proceeds to display essentially the same as was sent to the bash terminal (but, additionally, with a listing of all files that were actually installed.)

No sign of any gpg stuff going on.
Maybe I need to use the system perl to encounter the "gpg" issue.

My cygwin installation is a few years old (perl-5.32.1, gcc-11.3.0) and the "cpan" utility won't even work properly with it.
That suits me fine, as I really don't want to mess with that perl installation.
However, I did a manual build of CPAN-2.37 using that perl and all went well - even the "make install" step. (I figured I could probably get with the "make install" without doing any damage.)

FWIW, the Configure args that I use to build perl on Cygwin are:

$ perl -V:config_args
config_args='-des -Dusethreads -Dusemultiplicity -Dprefix=/cygdrive/c/
+cygperl-5.40.0-d -Dlibpth=/lib/gcc/x86_64-pc-cygwin/11';
[download]

which is significantly different to the Configure args used to build Cygwin's system perl.

Someone who cares about this issue might like to provide a bug report to Cygwin ... if that's where the bug is.
I personally think that anyone who wants to install modules into a system perl by running cpan/cpanp/cpanm bears the responsibility of "picking up the pieces".

Cheers,
Rob

As mentioned before, if cpanp doesn't detect gpg it doesn't do signature checks. Perhaps you don't have gpg installed?

keeping signature-checking off as Danny and others say, is the smart move until someone fixes this strange behavior. ;-/

🤦‍♂️; 💩🔥 -- for the general state, not for your decision (in order to have working software) as much.