If I come across other signed CPAN modules I'll post.

After reading this, I intended to reply with the following information, but never followed through. But I was reminded this morning, when I had a couple spare minutes:

The following of my distros have been signed:

• CAD::Mesh3D has a signature
  
• Win32::Mechanize::NotepadPlusPlus
• WWW::KeePassHttp
• Games::Literati
• Math::PRBS
• Data::IEEE754::Tools

Unfortunately, Kwalitee currently says it "Can't check signature: No public key" for the first four -- for example, here -- despite the fingerprint E800DAF40F9AC138A2747ED6FA2CFCE568A5ADCF matching my fingerprint.

And the last two had their SIGNATURE files generated pre-Module::Signature-v0.82, so Kwalitee complains about being an old SIGNATURE, even though the FA2CFCE568A5ADCF that it lists is the appropriate 16-character shorthand for the same key.

But at least for the first four, maybe with an updated Module::Signature v0.89, which uses keyserver.ubuntu.com instead of the old URL, maybe these can be examples to try on a Cygwin setup.

(I don't use Cygwin, nor cpanplus; but when I tried my Strawberry cpanm --look on CAD::Mesh3D or Math::PRBS (new and old style SIGNATURE), and ran cpansign -v to verify either of those downloads, it came back with a valid signature (though with the "old SIGNATURE" warning on the second); cpanm --verify didn't tell me anything, so I don't know if it doesn't do anything, or if it just doesn't say anything on a good SIGNATURE (or if the invalid WARNING it gives means it's not doing any signature checking)

Thanks for this! Its very good to have more signed modules to see what behaviors they display. I use both cygwin and debian so I can check what happens on both platforms.

I would like it if cpanm gave notice of a successful verification. I'm just today using cpanm since I perlbrew'ed an installation of a slightly old perl and cpanm comes with it.

Oct 14, 2024 at 21:23 UTC
The open palm of desire
Wants everything, it wants everything
It wants soil as soft as summer
And the strength to push like spring
Paul Simon -> Further to Fly

I would like it if cpanm gave notice of a successful verification.

It actually does, if cpanm --verify could find cpansign.bat, not just cpansign or cpansign.exe (I've reported this Win32 failure to App::cpanminus's repo). I patched my copy of cpanm to also search for the .bat ending when doing its which('cpansign') (and any other calls to which throughout), and now it does properly report a success:

c:\> cpansign --verify WWW::KeePassHttp
--> Working on WWW::KeePassHttp
Fetching http://www.cpan.org/authors/id/P/PE/PETERCJ/WWW-KeePassHttp-0
+.020.tar.gz ... OK
Fetching http://www.cpan.org/authors/id/P/PE/PETERCJ/CHECKSUMS ... OK
Verifying the SIGNATURE file ... Verified OK
Configuring WWW-KeePassHttp-0.020 ... OK
...
[download]

Since you are on linux or the linux-like Cygwin, I think cpanm --verify should work for you, as long as cpansign is in your $PATH.