My tentative plan is...

To make Module::Signature fail gracefully (fallback to simple SHA1 check without OpenPGP check) when used in an environment without network connnection. This has been done.
Modify PAUSE to allow uploading of PUBKEY (or PUBKEY.txt) to the author's directory. That file is overwritable.
PAUSE may also act as a local CA and sign each successfully uploaded PUBKEY. Consequently, individual PUBKEY files can be downloaded via http, rsync, ftp from any CPAN mirrors.
It may be desirable to publish the PAUSE keyring as a master file, such as 05pubring.gpg.gz, which contains all PUBKEY files mentioned above.
User _may_ choose to trust PAUSE, and by extension marginally trust each author's keys.

Of course, this is still pending furthur discussion with ANDK and other CPAN workers.

Thanks,
/Autrijus/

Comment on My tentative plan is...

Replies are listed 'Best First'.
Re: My tentative plan is... by Wyrdweaver (Beadle) on Apr 05, 2009 at 23:04 UTC
Audrey, Sorry to resurrect an old thread, but what decisions had been made about distributing the module signatures? I've been signing all of my modules, but I don't want the scary "WARNING: This key is not certified with a trusted signature!" warning to appear to everyone installing the module. I'm more than willing to exchange signing keys with other authors to help build the trust web, but I'm not sure where to start. Currently, I'm going to just add a TEST_SIGNATURE environment variable gate so that the test is just run when requested by users. But I think it would be best in the future (for authors and recipients) if the module is tested every time it's installed. Thanks for your time and effort on Module::Signature. - Roy	[reply]

Replies are listed 'Best First'.

Re: My tentative plan is...
by Wyrdweaver (Beadle) on Apr 05, 2009 at 23:04 UTC