man Module::Signature () - Module signature file manipulation
NAME
Module::Signature - Module signature file manipulation
VERSION
This document describes version 0.44 of Module::Signature, released December 16, 2004.
SYNOPSIS
As a shell command:
% cpansign # verify an existing SIGNATURE, or # make a new one if none exists
% cpansign sign # make signature; overwrites existing one % cpansign -s # same thing
% cpansign verify # verify a signature % cpansign -v # same thing % cpansign -v --skip # ignore files in MANIFEST.SKIP
% cpansign help # display this documentation % cpansign -h # same thing
In programs:
use Module::Signature qw(sign verify SIGNATURE_OK); sign(); sign(overwrite => 1); # overwrites without asking
# see the CONSTANTS section below (verify() == SIGNATURE_OK) or die "failed!";
DESCRIPTION
Module::Signature adds cryptographic authentications to CPAN distributions, via the special SIGNATURE file.
If you are a module user, all you have to do is to remember to run CWcpansign -v (or just CWcpansign) before issuing CWperl Makefile.PL or CWperl Build.PL; that will ensure the distribution has not been tampered with.
For module authors, you'd want to add the SIGNATURE file to your MANIFEST, then type CWcpansign -s before making a distribution. You may also want to consider adding this code as t/0-signature.t:
#!/usr/bin/perl use strict; print "1..1\n";
if (!-s 'SIGNATURE') { print "ok 1 # skip No signature file found\n"; } elsif (!eval { require Module::Signature; 1 }) { print "ok 1 # skip ", "Next time around, consider install Module::Signature, ", "so you can verify the integrity of this distribution.\n"; } elsif (!eval { require Socket; Socket::inet_aton('subkeys.pgp.net') }) { print "ok 1 # skip Cannot connect to the keyserver\n"; } else { (Module::Signature::verify() == Module::Signature::SIGNATURE_OK()) or print "not "; print "ok 1 # Valid signature\n"; }
__END__
Note that you'd want to keep your SIGNATURE file at 0 bytes (or missing altogether) during development, so CWmake test would not fail; that file should only be generated during the CWmake dist time; see NOTES for how to do it automatically.
If you are already using Test::More for testing, a more straightforward version of t/0-signature.t can be found in the Module::Signature distribution.
Also, if you prefer a more full-fledged testing package, and are willing to inflict the dependency of Module::Build on your users, Iain Truskett's Test::Signature might be a better choice.
Please also see NOTES about MANIFEST.SKIP issues, especially if you are using Module::Build or writing your own MANIFEST.SKIP.
VARIABLES
No package variables are exported by default.
- $Verbose
- If true, Module::Signature will give information during processing including gpg output. If false, Module::Signature will be as quiet as possible as long as everything is working ok. Defaults to false.
- $SIGNATURE
- The filename for a distribution's signature file. Defaults to CWSIGNATURE.
- $KeyServer
- The OpenPGP key server for fetching the author's public key (currently only implemented on CWgpg, not CWCrypt::OpenPGP). May be set to a false value to prevent this module from fetching public keys.
- $KeyServerPort
- The OpenPGP key server port, defaults to CW11371.
- $Timeout
- Maximum time to wait to try to establish a link to the key server. Defaults to CW3.
- $AutoKeyRetrieve
- Whether to automatically fetch unknown keys from the key server. Defaults to CW1.
- $Cipher
- The default cipher used by the CWDigest module to make signature files. Defaults to CWSHA1, but may be changed to other ciphers if the SHA1 cipher is undesirable for the user. The cipher specified in the SIGNATURE file's first entry will be used to validate its integrity. For CWSHA1, the user needs to have any one of these four modules installed: Digest::SHA, Digest::SHA1, Digest::SHA::PurePerl, or (currently nonexistent) Digest::SHA1::PurePerl.
- $Preamble
- The explanatory text written to newly generated SIGNATURE files before the actual entries.
ENVIRONMENT
Module::Signature honors these environment variables:
- MODULE_SIGNATURE_VERBOSE
- Works like CW$Verbose.
- MODULE_SIGNATURE_KEYSERVER
- Works like CW$KeyServer.
- MODULE_SIGNATURE_KEYSERVERPORT
- Works like CW$KeyServerPort.
- MODULE_SIGNATURE_TIMEOUT
- Works like CW$Timeout.
CONSTANTS
These constants are not exported by default. Cannot verify the OpenPGP signature, maybe due to the lack of a network connection to the key server, or if neither gnupg nor Crypt::OpenPGP exists on the system. Signature successfully verified. The SIGNATURE file does not exist. The signature file does not contains a valid OpenPGP message. Invalid signature detected it might have been tampered with. The signature is valid, but files in the distribution have changed since its creation. There are extra files in the current directory not specified by the MANIFEST file. The cipher used by the signature file is not recognized by the CWDigest and CWDigest::* modules.
NOTES
Module::Install users should simply do this:
WriteAll( sign => 1 );
For ExtUtils::MakeMaker (version 6.18 or above), you may do this:
WriteMakefile( (MM->can('signature_target') ? (SIGN => 1) : ()), # ... original arguments ... );
Users of Module::Build may do this:
Module::Build->new( (sign => 1), # ... original arguments ... )->create_build_script;
MANIFEST.SKIP Considerations
(The following section is lifted from Iain Truskett's Test::Signature module, under the Perl license. Thanks, Iain!)
It is imperative that your MANIFEST and MANIFEST.SKIP files be accurate and complete. If you are using CWExtUtils::MakeMaker and you do not have a MANIFEST.SKIP file, then don't worry about the rest of this. If you do have a MANIFEST.SKIP file, or you use CWModule::Build, you must read this.
Since the test is run at CWmake test time, the distribution has been made. Thus your MANIFEST.SKIP file should have the entries listed below.
If you're using CWExtUtils::MakeMaker, you should have, at least:
#defaults ^Makefile$ ^blib/ ^pm_to_blib ^blibdirs
These entries are part of the default set provided by CWExtUtils::Manifest, which is ignored if you provide your own MANIFEST.SKIP file.
If you are using CWModule::Build, you should have two extra entries:
^Build$ ^_build/
If you don't have the correct entries, CWModule::Signature will complain that you have:
==> MISMATCHED content between MANIFEST and distribution files! <==
You should note this during normal development testing anyway.
SEE ALSO
Digest, Digest::SHA, Digest::SHA1, Digest::SHA::PurePerl
ExtUtils::Manifest, Crypt::OpenPGP, Test::Signature
AUTHORS
Autrijus Tang <autrijus@autrijus.org>
COPYRIGHT
Copyright 2002, 2003, 2004 by Autrijus Tang <autrijus@autrijus.org>.
Parts of the documentation are copyrighted by Iain Truskett, 2002.
This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.
See <http://www.perl.com/perl/misc/Artistic.html>