QM has asked for the wisdom of the Perl Monks concerning the following question:

Windows XP, strawberry Perl v5.16.1 
C:\WINDOWS>cpanp i Math::Big
Installing Math::Big (1.12)
gpg: Signature made 04/17/07 15:52:12 GMT Daylight Time using RSA key 
+ID 93B84C15
gpg: Can't check signature: No public key
[ERROR] Signature check failed for module 'Math::Big' -- Not trusting 
+this module, aborting install

*** Install log written to:
  C:\Documents and Settings\SG34\.cpanplus\install-logs\Math-Big-1.12-
+1348754888.log

Error installing 'Math::Big'
Problem installing one or more modules

[download]
Exactly who doesn't have a public key? The module author?

How do I fix this? I assume I should be using gpg, so I installed it and exported a key to the default server.

At this point, I'd just like to install the module.

-QM
--
Quantum Mechanics: The dreams stuff is made of

Replies are listed 'Best First'.
Re: cpanp install, gpg: Can't check signature: No public key
by tobyink (Canon) on Sep 27, 2012 at 16:57 UTC

    I don't know about cpanp, but cpan and cpanm each have an option for forcing an install even when tests fail.

    perl -E'sub Monkey::do{say$_,for@_,do{($monkey=[caller(0)]->[3])=~s{::}{ }and$monkey}}"Monkey say"->Monkey::do'
[reply]
      In cpanp (and I presume in cpan): 
      CPAN Terminal> s conf signature 0

      [download]

      -QM
      --
      Quantum Mechanics: The dreams stuff is made of

[reply]
[d/l]
[select]
        # For cpan, use 'o conf' Note: That's a small letter 'o' before 'conf' o conf signature 0 o conf commit # You will get a warning about signature not being a valid config item, but just ignore it
[reply]

        Okay, and if a GPG signature is missing ... can someone please document here how one properly retrieves and installs it?   (Does someone, like, have to read that hex key-id and enter it by hand into a separate command to pull the PK down from a keyserver?   How gauche ...   For all those of us who don’t know the answer, what is the answer to this one?)

      It seems that this is something to do with cryptographic signature verification (integrity checking) of the package content, not a test-failure.   I know that there is an o conf setting for this in ordinary CPAN, which can turn this feature on or off, but I can’t speak to this particular scenario.   I would like to know how it shakes out ...

Re: cpanp install, gpg: Can't check signature: No public key
by Anonymous Monk on Sep 27, 2012 at 16:26 UTC
    It appears that CPAN is configured to check module signing signatures, and that it expects to do so with key-id 93B84C15, but that key has not been imported into your GPG key-ring. When you say "exported a key to the default server," exactly what did you do?
[reply]
      I installed Gpg4win, and went through the certificate creation steps in Kleopatra, including exporting to a server.

      Do I have to import the key for each module or author? Is there some way to automate this?

      I don't see the point of installing more than the odd module if I have to track down the public keys for each one. I suppose the whole distributed key thing is a real pain, as I'll have to find trusted authorities who host the public keys of the entities I want to communicate with.

      -QM
      --
      Quantum Mechanics: The dreams stuff is made of

[reply]
        You can always disable that signature checking stuff in cpanp 
        $conf->set_conf( signature => 0 );

        [download]
[reply]
[d/l]

Back to Seekers of Perl Wisdom