in reply to Re^3: GPG-Signed modules fail to install using cpanp under CygwinPerl
in thread GPG-Signed modules fail to install using cpanp under CygwinPerl

As mentioned before, if cpanp doesn't detect gpg it doesn't do signature checks. Perhaps you don't have gpg installed?
  • Comment on Re^4: GPG-Signed modules fail to install using cpanp under CygwinPerl

Replies are listed 'Best First'.
Re^5: GPG-Signed modules fail to install using cpanp under CygwinPerl
by syphilis (Archbishop) on Oct 02, 2024 at 11:04 UTC
    Perhaps you don't have gpg installed?

    Duh - yes. My MSYS installation includes it, and it's installed on my Ubuntu box (where "cpanp i CPAN" works fine), but not on Cygwin.
    I've now caught up by installing it on Cygwin.

    It seems that the fatality of the gpg failure can be overwritten by --force. But that's not much of a solution as --force would also run "make install", even if some tests also fail.
    Better to turn off signatures, as already suggested by Danny.

    How does one readily locate other GPG-signed modules with which to experiment ?

    Cheers,
    Rob
[reply]
[d/l]
[select]

      Rob asked:

      How does one readily locate other GPG-signed modules with which to experiment ?

      Unfortunately, there is no easy way. I finally came across one signed module by accident, and it seems to be broken here is some output:

      cpanp i MooX::late
Installing MooX::late (0.100)
gpg: Signature made Mon 17 Feb 2020 12:18:09 PM EST
gpg:                using DSA key 5524A8FFE3EB3ACF85B336E8CEBF81286A2A
+7D39
gpg: Can't check signature: No public key
[ERROR] Signature check failed for module 'MooX::late' -- Not trusting
+ this module, aborting install

*** Install log written to:
  /home/somian/.cpanplus/install-logs/MooX-late-0.100-1728073638.log

Error installing 'MooX::late'

      [download]

      If I come across other signed CPAN modules I'll post. In the meantime, I am hoping to find the mental energy to file a coherent report on this, on rt.cpan.org.

      Examine what is said, not who speaks.
      Love the truth but pardon error.
      Silence betokens consent.
      In the absence of evidence, opinion is indistinguishable from prejudice.
[reply]
[d/l]
        If I come across other signed CPAN modules I'll post.

        After reading this, I intended to reply with the following information, but never followed through. But I was reminded this morning, when I had a couple spare minutes:

        The following of my distros have been signed:

        Unfortunately, Kwalitee currently says it "Can't check signature: No public key" for the first four -- for example, here -- despite the fingerprint E800DAF40F9AC138A2747ED6FA2CFCE568A5ADCF matching my fingerprint.

        And the last two had their SIGNATURE files generated pre-Module::Signature-v0.82, so Kwalitee complains about being an old SIGNATURE, even though the FA2CFCE568A5ADCF that it lists is the appropriate 16-character shorthand for the same key.

        But at least for the first four, maybe with an updated Module::Signature v0.89, which uses keyserver.ubuntu.com instead of the old URL, maybe these can be examples to try on a Cygwin setup.

        <Reveal this spoiler or all in this thread>

        (I don't use Cygwin, nor cpanplus; but when I tried my Strawberry cpanm --look on CAD::Mesh3D or Math::PRBS (new and old style SIGNATURE), and ran cpansign -v to verify either of those downloads, it came back with a valid signature (though with the "old SIGNATURE" warning on the second); cpanm --verify didn't tell me anything, so I don't know if it doesn't do anything, or if it just doesn't say anything on a good SIGNATURE (or if the invalid WARNING it gives means it's not doing any signature checking)

[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom