Re^7: GPG-Signed modules fail to install using cpanp under CygwinPerl

If I come across other signed CPAN modules I'll post.

After reading this, I intended to reply with the following information, but never followed through. But I was reminded this morning, when I had a couple spare minutes:

The following of my distros have been signed:

Unfortunately, Kwalitee currently says it "Can't check signature: No public key" for the first four -- for example, here -- despite the fingerprint E800DAF40F9AC138A2747ED6FA2CFCE568A5ADCF matching my fingerprint.

And the last two had their SIGNATURE files generated pre-Module::Signature-v0.82, so Kwalitee complains about being an old SIGNATURE, even though the FA2CFCE568A5ADCF that it lists is the appropriate 16-character shorthand for the same key.

But at least for the first four, maybe with an updated Module::Signature v0.89, which uses keyserver.ubuntu.com instead of the old URL, maybe these can be examples to try on a Cygwin setup.

(I don't use Cygwin, nor cpanplus; but when I tried my Strawberry cpanm --look on CAD::Mesh3D or Math::PRBS (new and old style SIGNATURE), and ran cpansign -v to verify either of those downloads, it came back with a valid signature (though with the "old SIGNATURE" warning on the second); cpanm --verify didn't tell me anything, so I don't know if it doesn't do anything, or if it just doesn't say anything on a good SIGNATURE (or if the invalid WARNING it gives means it's not doing any signature checking)

Comment on Re^7: GPG-Signed modules fail to install using cpanp under CygwinPerl Select or Download Code

Replies are listed 'Best First'.
Re^8: GPG-Signed modules fail to install using cpanp under CygwinPerl by Intrepid (Curate) on Oct 15, 2024 at 01:37 UTC
Thanks for this! Its very good to have more signed modules to see what behaviors they display. I use both cygwin and debian so I can check what happens on both platforms. I would like it if `cpanm` gave notice of a successful verification. I'm just today using `cpanm` since I perlbrew'ed an installation of a slightly old perl and `cpanm` comes with it. Oct 14, 2024 at 21:23 UTC The open palm of desire Wants everything, it wants everything It wants soil as soft as summer And the strength to push like spring Paul Simon -> Further to Fly	[reply]
Re^9: GPG-Signed modules fail to install using cpanp under CygwinPerl by pryrt (Abbot) on Oct 15, 2024 at 13:01 UTC
I would like it if cpanm gave notice of a successful verification. It actually does, if `cpanm --verify` could find `cpansign.bat`, not just `cpansign` or `cpansign.exe` (I've reported this Win32 failure to App::cpanminus's repo). I patched my copy of `cpanm` to also search for the `.bat` ending when doing its `which('cpansign')` (and any other calls to `which` throughout), and now it does properly report a success: `c:\> cpansign --verify WWW::KeePassHttp --> Working on WWW::KeePassHttp Fetching http://www.cpan.org/authors/id/P/PE/PETERCJ/WWW-KeePassHttp-0 +.020.tar.gz ... OK Fetching http://www.cpan.org/authors/id/P/PE/PETERCJ/CHECKSUMS ... OK Verifying the SIGNATURE file ... Verified OK Configuring WWW-KeePassHttp-0.020 ... OK ...` [download] Since you are on linux or the linux-like Cygwin, I think `cpanm --verify` should work for you, as long as `cpansign` is in your `$PATH`.	[reply] [d/l] [select]