jkeenan1 has asked for the wisdom of the Perl Monks concerning the following question:

Recently, having decided to become more security-conscious, I installed Mac GNU Privacy Guard from http://macgpg.sourceforge.net/. Since then, I've been having problems installing Perl modules using the CPAN.pm interactive shell. Here is the output from an attempt to install a pure Perl module, Casey West's Email::Send: 

cpan> install Email::Send                                 
CPAN: Storable loaded ok
Going to read /Users/jimk/.cpan/Metadata
  Database was generated on Sat, 28 Jan 2006 23:13:10 GMT
Running install for module Email::Send
Running make for C/CW/CWEST/Email-Send-2.03.tar.gz
CPAN: Digest::SHA loaded ok
CPAN: Module::Signature loaded ok

[download]

So far so good, but what follows are warnings I never previously would have received. 

gpg: WARNING: unsafe ownership on configuration file `/Users/jimk/.gnu
+pg/gpg.conf'
gpg: WARNING: unsafe ownership on configuration file `/Users/jimk/.gnu
+pg/gpg.conf'
gpg: Signature made Sat Jan 28 18:35:45 2006 EST using DSA key ID 450F
+89EC
gpg: external program calls are disabled due to unsafe options file pe
+rmissions
gpg: keyserver communications error: general error
gpg: Can't check signature: public key not found

Signature invalid for distribution file. Please investigate.

Distribution id = C/CW/CWEST/Email-Send-2.03.tar.gz
    CPAN_USERID  CWEST (Casey West <casey@geeknest.com>)
    CALLED_FOR   Email::Send
    CHECKSUM_STATUS 
    CONTAINSMODS Email::Send::IO Email::Send::Sendmail Email::Send::NN
+TP Email::Send::SMTP Email::Send::Qmail Email::Send
    UPLOAD_DATE  2006-01-28
    incommandcolor 1
    localfile    /Users/jimk/.cpan/sources/authors/id/C/CW/CWEST/Email
+-Send-2.03.tar.gz

I'd recommend removing
/Users/jimk/.cpan/sources/authors/id/C/CW/CWEST/CHECKSUMS. Its signatu
+re
is invalid. Maybe you have configured your 'urllist' with
a bad URL. Please check this array with 'o conf urllist', and
retry.

[download]

The upshot: Nothing gets installed.

I have double-checked my urllist; it contains the same mirrors I've been using for years. So I don't think that's where the problem lies. I suspect I don't understand the implications of using CPAN.pm on a machine where gpg is installed. But perhaps it's a problem with the particular version of CPAN.pm. Can anyone clarify?

Info: Perl 5.8.7; Mac OS X (10.3); CPAN.pm version 1.83.

Thank you very much.

Jim Keenan

Replies are listed 'Best First'.
Re: Can't use CPAN.pm once gpg installed
by diotalevi (Canon) on Jan 29, 2006 at 22:54 UTC

    That combination works fine on Linux and Windows. Have you looked at the permissions of your ~/.gnupg directory and the ~/.gnupg/gpg.conf file? From the error you reported, that looks to be the problem.

    ⠤⠤ ⠙⠊⠕⠞⠁⠇⠑⠧⠊

[reply]
Re: Can't use CPAN.pm once gpg installed
by tirwhan (Abbot) on Jan 29, 2006 at 23:42 UTC 

    perl -e 'chmod 0700,"~/.gnupg";chmod 0600,"~/.gnupg/gpg.conf";'

    [download]

    There are ten types of people: those that understand binary and those that don't.
[reply]
[d/l]
      The permissions on the ~/.gnupg directory were already set to 0700: 

      [jimk] 503 $ ls -al  
total 464
...
drwx------     8 jimk  jimk     272 28 Jan 12:52 .gnupg

      [download]

      The permissions on ~/.gnupg/gpg.conf were 0644; I changed them to 0600: 

      [.gnupg] 512 $ ll
total 56
-rw-------  1 jimk  jimk  8084 28 Jan 12:33 gpg.conf

      [download]

      I re-ran the cpan shell for Email::Send. Same results. I got the same results when I took the suggestion about removing /Users/jimk/.cpan/sources/authors/id/C/CW/CWEST/CHECKSUMS and then re-called install Send::Easy.

      Note: The error messages refer to unsafe ownership on gpg.conf: 

      gpg: WARNING: unsafe ownership on configuration file `/Users/jimk/.gnu
+pg/gpg.conf'

      [download]

      Since 'jimk' rather than 'root' is the owner of gpg.conf, could that be the problem? (Well, I doubt it, I tried changing the ownership of that file to root, reran the shell, and again failed.)

      More thoughts? Thanks.

      jimk

[reply]
[d/l]
[select]
      Here is possibly relevant documentation from CPAN.pm:

      Cryptographically signed modules

      Since release 1.77 CPAN.pm has been able to verify cryptographically signed module distributions using Module::Signature. The CPAN modules can be signed by their authors, thus giving more security. ...

      You will need to have Module::Signature installed, which in turn requires that you have at least one of Crypt::OpenPGP module or the command-line gpg tool installed.

      You will also need to be able to connect over the Internet to the public keyservers, like pgp.mit.edu, and their port 11731 (the HKP protocol).

      Well, I've got Module::Signature and gpg installed, and I'm connected to the Internet. What am I missing?

      jimk

[reply]
Re: Can't use CPAN.pm once gpg installed
by randyk (Parson) on Jan 30, 2006 at 02:00 UTC
    Are you running this as the jimk user? This message indicates that this error can result from running gpg as someone who is not the owner of the gpg.conf file.
[reply]
      I call 'sudo cpan' to initiate the CPAN shell. Which, as far as I know, is what I need to do, in order to install CPAN modules under /usr/local/lib rather than somewhere under ~.

      So I guess I'm not running as the owner of the gpg.conf file. But the message you cite implies that this shouldn't be a problem.

      jimk

      UPDATE: If I simply call cpan without sudo-ing first, I avoid all the 'unsafe ownership' messages -- but, not surprisingly, can't install the files or the docs under /usr/local/.

      The only way that I can use the CPAN shell to install is to temporarily rename .gnupg/, then call sudo cpan, do the installation, and then change back to .gnupg/. Not exactly user friendly!

      Am I the only one experiencing this problem?

[reply]
[d/l]
[select]
        Recent versions of CPAN.pm support a make_install_make_command configuration setting, which is used to set the make command for running make install. Does setting this to "sudo make" work?
[reply]
        I've faced a similar issue. The problem with 'sudo cpan' as opposed to, say, 'su - -c cpan' (roughly) is that with sudo your user's environment is still active and CPAN.pm will, by default, use your home directory as its repository and pick up other config files from there.
[reply]
Re: Can't use CPAN.pm once gpg installed
by Aristotle (Chancellor) on Jan 31, 2006 at 04:01 UTC

    Use sudo -i cpan so that sudo will set up the environment just as it would be for a logged-in root user.

    Makeshifts last the longest.

[reply]
[d/l]
      This worked, albeit with some warning messages which I'll post later today. Thanks to all for your assistance.

      jimk

[reply]
      Here is an excerpt from the messages I got following Aristotle's suggestion: 

          [jimk] $ sudo -i cpan

    cpan> install File::pushd

      [download]
      (snip) 
          Fetching with Net::FTP:
      ftp://ftp.perl.org/pub/CPAN/authors/01mailrc.txt.gz
    Couldn't fetch 01mailrc.txt.gz from ftp.perl.org
    
    Trying with "/usr/bin/curl -L" to get
        ftp://ftp.perl.org/pub/CPAN/authors/01mailrc.txt.gz
      % Total    % Received % Xferd  Average Speed          Time      
+       Curr.
                                     Dload  Upload Total    Current  L
+eft    Speed
    100  107k  100  107k    0     0  37541      0  0:00:02  0:00:02  0
+:00:00 66261

      [download]

      It's interesting to note that this is the first time in my use of CPAN.pm or the shell that it used curl to fetch the needed files. I was not previously acquainted with this utility, so I suspect it's a recent addition to the module's functionality.

      (snip use of curl to get other prerequisites) 

          CPAN: Module::Signature loaded ok
    gpg: new configuration file `/var/root/.gnupg/gpg.conf' created
    gpg: WARNING: options in `/var/root/.gnupg/gpg.conf' are not yet a
+ctive during this run
    gpg: Signature made Fri Jan 27 03:47:39 2006 EST using DSA key ID 
+450F89EC
    gpg: Can't check signature: public key not found
    Signature for /var/root/.cpan/sources/authors/id/D/DA/DAGOLDEN/CHE
+CKSUMS ok
    Checksum for /var/root/.cpan/sources/authors/id/D/DA/DAGOLDEN/File
+-pushd-0.30.tar.gz ok

      [download]
      It's interesting that CPAN.pm here created a directory tree, /var/root/.gnupg, which did'nt previously exist. As a matter of fact, it created two directory trees, that and /var/root/.cpan. I'm not surprised at the latter, but I am at the former.

      Can anyone tell me if I should take any action in response to those gpg warnings?

      From here on down, everything DWIMmed. (snip unpacking of File-pushd-0.30) 

          Files=1, Tests=34,  1 wallclock secs ( 0.32 cusr +  0.30 csys =  0
+.62 CPU)
      /usr/bin/make test -- OK
    Running make install
    Installing /usr/local/lib/perl5/site_perl/5.8.7/File/pushd.pm
    Installing /usr/local/man/man3/File::pushd.3
    Writing /usr/local/lib/perl5/site_perl/5.8.7/darwin-2level/auto/Fi
+le/pushd/.packlist
    Appending installation info to /usr/local/lib/perl5/5.8.7/darwin-2
+level/perllocal.pod
      /usr/bin/make install  -- OK

      [download]

      So it seems like sudo -i cpan is the way to go! Thanks.

      jimk

[reply]
[d/l]
[select]

        The messages relating to /var/root/.gnupg appear to be coming from gpg which gets launched to perform signature verification duties, rather than from CPAN.pm itself. And you shouldn’t get them again, either.

        Makeshifts last the longest.

[reply]

Back to Seekers of Perl Wisdom