CPAN key/signature problems

[verdon]

WARNING: This key is not certified with a trusted signature!

Hi, I've been receiving this error off and on for a week or two in my nightly upcp report. After reading a number of threads here in regards to recent perl and/or cpan problems, I took the following steps on Thursday....

- removed /home/.cpan
- re-installed perl using the perl587installer (I was at 5.8.4)
- ran /scripts/upcp -- force
- ran /usr/local/cpanel/bin/checkperlmodules

Everything seemed to go OK and Friday's upcp report looked good. This morning's report, back to the same issues. In specific,

Code:

Running install for module Archive::Tar
Running make for K/KA/KANE/Archive-Tar-1.28.tar.gz
Fetching with LWP:
  http://mirror.cc.columbia.edu/pub/so...ar-1.28.tar.gz
CPAN: Digest::SHA loaded ok
Fetching with LWP:
  http://mirror.cc.columbia.edu/pub/so...KANE/CHECKSUMS
CPAN: Module::Signature loaded ok
WARNING: This key is not certified with a trusted signature!
Primary key fingerprint: xxxx xxxx xxxx xxxx xxxx  xxxx xxxx xxxx xxxx xxxx
Signature for /home/.cpan/sources/authors/id/K/KA/KANE/CHECKSUMS ok
Checksum for /home/.cpan/sources/authors/id/K/KA/KANE/Archive-Tar-1.28.tar.gz ok

... then a bunch more lines ...

Package came without SIGNATURE


  CPAN.pm: Going to build K/KA/KANE/Archive-Tar-1.28.tar.gz

Checking if your kit is complete...
Looks good
Writing Makefile for Archive::Tar
CPAN: YAML loaded ok

... and so on ...

There's a lot more, and if anyone is willing to take a look, I will attach the output to this post.

In the end, there seems to be the same thing happening and I think a few modules are not installing/updating, including Archive::Tar, YAML, Test::Base, Test::More, Class::Spiffy, though I suspect these are symptoms. To be honest, I'm not really sure

Any thoughts?

[cpanelben]

The error message you are seeing is more accurately discribed as a "warning" and it is one of the side effects of using Module::Signature. Module::Signature was recently added to CPAN as part of the default behavior after the CPAN update. The message indicates that the key used to sign the module (to verify it's integrity) is not signed with a key that's in your trusted keychain. It does not indicate any problem with CPAN, nor with the module's signature. It simply means that the signature of the module is not as "sure" as it would be if the module was signed by a "trusted" signature (one that you have personally verified either directly or through one of your other "trusted" keys). A bit confusing right? Well, this is how GPG signatures work, and rather than me explaining public key signatures any further, I recommend reading further on the topic using one of the innumerable documents publically available on the web.

In short, this is normal and indicates that Module::Signature is working as it was designed.

We will likely "disable" Module::Signature in future builds of cPanel, as there are several other "integrity" checks in place that make it a little redundant, and in an automated CPAN module install system, Module::Signature is a little difficult to get right (right meaning no messages or warnings). I've initiated some discussion on the matter with the CPAN folk, and time will tell if the system improves to the point were it's a practical solution for automated systems.

Disabling Module::Signature manually is a bit "hackish", but here's the quick a dirty steps to do it on any of your systems:

1. Locate the "Signature.pm" file for your system:

Code:

perl -MModule::Signature -le 'print $INC{"Module/Signature.pm"}'

(this will print out the full path)

2. Edit the module and convert the VERSION to "0.00" (example on my server, version number may differ on your system):

Code:

sed -ie 's/0\.52/0.00/' /usr/lib/perl5/site_perl/5.8.7/Module/Signature.pm

You can also manually edit the file with any editor, however it is marked a readonly so you'll need to use your editor's command to force a save.

That will effectively disable Module::Signature. If you mess up the module, or would like to restart using Module::Signature, then just run "/scripts/perlinstaller --force Module::Signature". HTH.

[verdon]

Hi Ben,

Thanks for the excellent and informative reply. I understand now

I appreciate the tip re: disabling and may give it a try, but now that I understand what I am being told, I'm not nearly as concerned.

[edumadma]

# perl -MModule::Signature -le 'print $INC{"Module/Signature.pm"}'
/usr/lib/perl5/site_perl/5.8.0/Module/Signature.pm
#

package Module::Signature;
$Module::Signature::VERSION = '0.55';

use 5.005;
use strict;
use vars qw($VERSION $SIGNATURE @ISA @EXPORT_OK);
use vars qw($Preamble $Cipher $Debug $Verbose $Timeout);
use vars qw($KeyServer $KeyServerPort $AutoKeyRetrieve $CanKeyRetrieve);