1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
|
NAME
Module::Signature - Module signature file manipulation
SYNOPSIS
As a shell command:
% cpansign # verify an existing SIGNATURE, or
# make a new one if none exists
% cpansign sign # make signature; overwrites existing one
% cpansign -s # same thing
% cpansign verify # verify a signature
% cpansign -v # same thing
% cpansign -v --skip # ignore files in MANIFEST.SKIP
% cpansign help # display this documentation
% cpansign -h # same thing
In programs:
use Module::Signature qw(sign verify SIGNATURE_OK);
sign();
sign(overwrite => 1); # overwrites without asking
# see the CONSTANTS section below
(verify() == SIGNATURE_OK) or die "failed!";
DESCRIPTION
Module::Signature adds cryptographic authentications to CPAN
distributions, via the special SIGNATURE file.
If you are a module user, all you have to do is to remember to run
"cpansign -v" (or just "cpansign") before issuing "perl Makefile.PL" or
"perl Build.PL"; that will ensure the distribution has not been tampered
with.
Module authors can easily add the SIGNATURE file to the distribution
tarball; see "NOTES" below for how to do it as part of "make dist".
If you *really* want to sign a distribution manually, simply add
"SIGNATURE" to MANIFEST, then type "cpansign -s" immediately before
"make dist". Be sure to delete the SIGNATURE file afterwards.
Please also see "NOTES" about MANIFEST.SKIP issues, especially if you
are using Module::Build or writing your own MANIFEST.SKIP.
Signatures made with Module::Signature prior to version 0.82 used the
SHA1 algorithm by default. SHA1 is now considered broken, and therefore
module authors are strongly encouraged to regenerate their SIGNATURE
files. Users verifying old SHA1 signature files will receive a warning.
VARIABLES
No package variables are exported by default.
$Verbose
If true, Module::Signature will give information during processing
including gpg output. If false, Module::Signature will be as quiet
as possible as long as everything is working ok. Defaults to false.
$SIGNATURE
The filename for a distribution's signature file. Defaults to
"SIGNATURE".
$AUTHOR
The key ID used for signature. If empty/null/0, "gpg"'s configured
default ID, or the most recently added key within the secret keyring
for "Crypt::OpenPGP", will be used for the signature.
$KeyServer
The OpenPGP key server for fetching the author's public key
(currently only implemented on "gpg", not "Crypt::OpenPGP"). May be
set to a false value to prevent this module from fetching public
keys.
$KeyServerPort
The OpenPGP key server port, defaults to 11371.
$Timeout
Maximum time to wait to try to establish a link to the key server.
Defaults to 3.
$AutoKeyRetrieve
Whether to automatically fetch unknown keys from the key server.
Defaults to 1.
$Cipher
The default cipher used by the "Digest" module to make signature
files. Defaults to "SHA256", but may be changed to other ciphers via
the "MODULE_SIGNATURE_CIPHER" environment variable if the SHA256
cipher is undesirable for the user.
The cipher specified in the SIGNATURE file's first entry will be
used to validate its integrity. For "SHA256", the user needs to have
any one of these modules installed: Digest::SHA, Digest::SHA256, or
Digest::SHA::PurePerl.
$Preamble
The explanatory text written to newly generated SIGNATURE files
before the actual entries.
ENVIRONMENT
Module::Signature honors these environment variables:
MODULE_SIGNATURE_AUTHOR
Works like $AUTHOR.
MODULE_SIGNATURE_CIPHER
Works like $Cipher.
MODULE_SIGNATURE_VERBOSE
Works like $Verbose.
MODULE_SIGNATURE_KEYSERVER
Works like $KeyServer.
MODULE_SIGNATURE_KEYSERVERPORT
Works like $KeyServerPort.
MODULE_SIGNATURE_TIMEOUT
Works like $Timeout.
CONSTANTS
These constants are not exported by default.
CANNOT_VERIFY (0E0)
Cannot verify the OpenPGP signature, maybe due to the lack of a
network connection to the key server, or if neither gnupg nor
Crypt::OpenPGP exists on the system.
SIGNATURE_OK (0)
Signature successfully verified.
SIGNATURE_MISSING (-1)
The SIGNATURE file does not exist.
SIGNATURE_MALFORMED (-2)
The signature file does not contains a valid OpenPGP message.
SIGNATURE_BAD (-3)
Invalid signature detected -- it might have been tampered with.
SIGNATURE_MISMATCH (-4)
The signature is valid, but files in the distribution have changed
since its creation.
MANIFEST_MISMATCH (-5)
There are extra files in the current directory not specified by the
MANIFEST file.
CIPHER_UNKNOWN (-6)
The cipher used by the signature file is not recognized by the
"Digest" and "Digest::*" modules.
NOTES
Signing your module as part of "make dist"
The easiest way is to use Module::Install:
sign; # put this before "WriteAll"
WriteAll;
For ExtUtils::MakeMaker (version 6.18 or above), you may do this:
WriteMakefile(
(MM->can('signature_target') ? (SIGN => 1) : ()),
# ... original arguments ...
);
Users of Module::Build may do this:
Module::Build->new(
(sign => 1),
# ... original arguments ...
)->create_build_script;
MANIFEST.SKIP Considerations
(The following section is lifted from Iain Truskett's Test::Signature
module, under the Perl license. Thanks, Iain!)
It is imperative that your MANIFEST and MANIFEST.SKIP files be accurate
and complete. If you are using "ExtUtils::MakeMaker" and you do not have
a MANIFEST.SKIP file, then don't worry about the rest of this. If you do
have a MANIFEST.SKIP file, or you use "Module::Build", you must read
this.
Since the test is run at "make test" time, the distribution has been
made. Thus your MANIFEST.SKIP file should have the entries listed below.
If you're using "ExtUtils::MakeMaker", you should have, at least:
#defaults
^Makefile$
^blib/
^pm_to_blib
^blibdirs
These entries are part of the default set provided by
"ExtUtils::Manifest", which is ignored if you provide your own
MANIFEST.SKIP file.
If you are using "Module::Build", you should have two extra entries:
^Build$
^_build/
If you don't have the correct entries, "Module::Signature" will complain
that you have:
==> MISMATCHED content between MANIFEST and distribution files! <==
You should note this during normal development testing anyway.
Testing signatures
You may add this code as t/0-signature.t in your distribution tree:
#!/usr/bin/perl
use strict;
print "1..1\n";
if (!$ENV{TEST_SIGNATURE}) {
print "ok 1 # skip Set the environment variable",
" TEST_SIGNATURE to enable this test\n";
}
elsif (!-s 'SIGNATURE') {
print "ok 1 # skip No signature file found\n";
}
elsif (!eval { require Module::Signature; 1 }) {
print "ok 1 # skip ",
"Next time around, consider install Module::Signature, ",
"so you can verify the integrity of this distribution.\n";
}
elsif (!eval { require Socket; Socket::inet_aton('keyserver.ubuntu.com') }) {
print "ok 1 # skip ",
"Cannot connect to the keyserver\n";
}
else {
(Module::Signature::verify() == Module::Signature::SIGNATURE_OK())
or print "not ";
print "ok 1 # Valid signature\n";
}
__END__
If you are already using Test::More for testing, a more straightforward
version of t/0-signature.t can be found in the Module::Signature
distribution.
Note that "MANIFEST.SKIP" is considered by default only when
$ENV{TEST_SIGNATURE} is set to a true value.
Also, if you prefer a more full-fledged testing package, and are willing
to inflict the dependency of Module::Build on your users, Iain
Truskett's Test::Signature might be a better choice.
SEE ALSO
Digest, Digest::SHA, Digest::SHA::PurePerl
ExtUtils::Manifest, Crypt::OpenPGP, Test::Signature
Module::Install, ExtUtils::MakeMaker, Module::Build
Dist::Zilla::Plugin::Signature
AUTHORS
Audrey Tang <cpan@audreyt.org>
LICENSE
This work is under a CC0 1.0 Universal License, although a portion of
the documentation (as detailed above) is under the Perl license.
To the extent possible under law, 唐鳳 has waived all copyright and
related or neighboring rights to Module-Signature.
This work is published from Taiwan.
<http://creativecommons.org/publicdomain/zero/1.0>
|
