Re^5: GPG-Signed modules fail to install using cpanp under CygwinPerl

Replies are listed 'Best First'.
Re^6: GPG-Signed modules fail to install using cpanp under CygwinPerl by Intrepid (Curate) on Oct 12, 2024 at 01:53 UTC
Rob asked: How does one readily locate other GPG-signed modules with which to experiment ? Unfortunately, there is no easy way. I finally came across one signed module by accident, and it seems to be broken here is some output: `cpanp i MooX::late Installing MooX::late (0.100) gpg: Signature made Mon 17 Feb 2020 12:18:09 PM EST gpg: using DSA key 5524A8FFE3EB3ACF85B336E8CEBF81286A2A +7D39 gpg: Can't check signature: No public key [ERROR] Signature check failed for module 'MooX::late' -- Not trusting + this module, aborting install *** Install log written to: /home/somian/.cpanplus/install-logs/MooX-late-0.100-1728073638.log Error installing 'MooX::late'` [download] If I come across other signed CPAN modules I'll post. In the meantime, I am hoping to find the mental energy to file a coherent report on this, on rt.cpan.org. Examine what is said, not who speaks. Love the truth but pardon error. Silence betokens consent. In the absence of evidence, opinion is indistinguishable from prejudice.	[reply] [d/l]
Re^7: GPG-Signed modules fail to install using cpanp under CygwinPerl by pryrt (Abbot) on Oct 14, 2024 at 14:34 UTC
If I come across other signed CPAN modules I'll post. After reading this, I intended to reply with the following information, but never followed through. But I was reminded this morning, when I had a couple spare minutes: The following of my distros have been signed: CAD::Mesh3D has a signature Win32::Mechanize::NotepadPlusPlus WWW::KeePassHttp Games::Literati Math::PRBS Data::IEEE754::Tools Unfortunately, Kwalitee currently says it "Can't check signature: No public key" for the first four -- for example, here -- despite the fingerprint `E800DAF40F9AC138A2747ED6FA2CFCE568A5ADCF` matching my fingerprint. And the last two had their SIGNATURE files generated pre-Module::Signature-v0.82, so Kwalitee complains about being an old SIGNATURE, even though the `FA2CFCE568A5ADCF` that it lists is the appropriate 16-character shorthand for the same key. But at least for the first four, maybe with an updated Module::Signature v0.89, which uses keyserver.ubuntu.com instead of the old URL, maybe these can be examples to try on a Cygwin setup. <Reveal this spoiler or all in this thread> (I don't use Cygwin, nor cpanplus; but when I tried my Strawberry `cpanm --look` on CAD::Mesh3D or Math::PRBS (new and old style SIGNATURE), and ran `cpansign -v` to verify either of those downloads, it came back with a valid signature (though with the "old SIGNATURE" warning on the second); `cpanm --verify` didn't tell me anything, so I don't know if it doesn't do anything, or if it just doesn't say anything on a good SIGNATURE (or if the invalid WARNING it gives means it's not doing any signature checking)	[reply] [d/l] [select]
Re^8: GPG-Signed modules fail to install using cpanp under CygwinPerl by Intrepid (Curate) on Oct 15, 2024 at 01:37 UTC
Thanks for this! Its very good to have more signed modules to see what behaviors they display. I use both cygwin and debian so I can check what happens on both platforms. I would like it if `cpanm` gave notice of a successful verification. I'm just today using `cpanm` since I perlbrew'ed an installation of a slightly old perl and `cpanm` comes with it. Oct 14, 2024 at 21:23 UTC The open palm of desire Wants everything, it wants everything It wants soil as soft as summer And the strength to push like spring Paul Simon -> Further to Fly	[reply]
Re^9: GPG-Signed modules fail to install using cpanp under CygwinPerl by pryrt (Abbot) on Oct 15, 2024 at 13:01 UTC