• To make Module::Signature fail gracefully (fallback to simple SHA1 check without OpenPGP check) when used in an environment without network connnection. This has been done.
• Modify PAUSE to allow uploading of PUBKEY (or PUBKEY.txt) to the author's directory. That file is overwritable.
• PAUSE may also act as a local CA and sign each successfully uploaded PUBKEY. Consequently, individual PUBKEY files can be downloaded via http, rsync, ftp from any CPAN mirrors.
• It may be desirable to publish the PAUSE keyring as a master file, such as 05pubring.gpg.gz, which contains all PUBKEY files mentioned above.
• User _may_ choose to trust PAUSE, and by extension marginally trust each author's keys.

Of course, this is still pending furthur discussion with ANDK and other CPAN workers.

Thanks,
/Autrijus/

Audrey,

Sorry to resurrect an old thread, but what decisions had been made about distributing the module signatures? I've been signing all of my modules, but I don't want the scary "WARNING: This key is not certified with a trusted signature!" warning to appear to everyone installing the module.

I'm more than willing to exchange signing keys with other authors to help build the trust web, but I'm not sure where to start.

Currently, I'm going to just add a TEST_SIGNATURE environment variable gate so that the test is just run when requested by users. But I think it would be best in the future (for authors and recipients) if the module is tested every time it's installed.

Thanks for your time and effort on Module::Signature.

- Roy

MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"

I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).

** The third rule of perl club is a statement of fact: pod is sexy.