The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CPAN key/signature problems

Discussion in 'General Discussion' started by verdon, Jan 21, 2006.

  1. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    WARNING: This key is not certified with a trusted signature!

    Hi, I've been receiving this error off and on for a week or two in my nightly upcp report. After reading a number of threads here in regards to recent perl and/or cpan problems, I took the following steps on Thursday....

    - removed /home/.cpan
    - re-installed perl using the perl587installer (I was at 5.8.4)
    - ran /scripts/upcp -- force
    - ran /usr/local/cpanel/bin/checkperlmodules

    Everything seemed to go OK and Friday's upcp report looked good. This morning's report, back to the same issues. In specific,

    Code:
    Running install for module Archive::Tar
    Running make for K/KA/KANE/Archive-Tar-1.28.tar.gz
    Fetching with LWP:
      [url]http://mirror.cc.columbia.edu/pub/software/cpan/authors/id/K/KA/KANE/Archive-Tar-1.28.tar.gz[/url]
    CPAN: Digest::SHA loaded ok
    Fetching with LWP:
      [url]http://mirror.cc.columbia.edu/pub/software/cpan/authors/id/K/KA/KANE/CHECKSUMS[/url]
    CPAN: Module::Signature loaded ok
    WARNING: This key is not certified with a trusted signature!
    Primary key fingerprint: xxxx xxxx xxxx xxxx xxxx  xxxx xxxx xxxx xxxx xxxx
    Signature for /home/.cpan/sources/authors/id/K/KA/KANE/CHECKSUMS ok
    Checksum for /home/.cpan/sources/authors/id/K/KA/KANE/Archive-Tar-1.28.tar.gz ok
    
    ... then a bunch more lines ...
    
    Package came without SIGNATURE
    
    
      CPAN.pm: Going to build K/KA/KANE/Archive-Tar-1.28.tar.gz
    
    Checking if your kit is complete...
    Looks good
    Writing Makefile for Archive::Tar
    CPAN: YAML loaded ok
    
    ... and so on ...
    There's a lot more, and if anyone is willing to take a look, I will attach the output to this post.

    In the end, there seems to be the same thing happening and I think a few modules are not installing/updating, including Archive::Tar, YAML, Test::Base, Test::More, Class::Spiffy, though I suspect these are symptoms. To be honest, I'm not really sure :)

    Any thoughts?
     
    #1 verdon, Jan 21, 2006
    Last edited: Jan 21, 2006
  2. BenThomas

    BenThomas Well-Known Member

    Joined:
    Feb 12, 2004
    Messages:
    598
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Houston, Texas USA
    cPanel Access Level:
    Root Administrator
    The error message you are seeing is more accurately discribed as a "warning" and it is one of the side effects of using Module::Signature. Module::Signature was recently added to CPAN as part of the default behavior after the CPAN update. The message indicates that the key used to sign the module (to verify it's integrity) is not signed with a key that's in your trusted keychain. It does not indicate any problem with CPAN, nor with the module's signature. It simply means that the signature of the module is not as "sure" as it would be if the module was signed by a "trusted" signature (one that you have personally verified either directly or through one of your other "trusted" keys). A bit confusing right? Well, this is how GPG signatures work, and rather than me explaining public key signatures any further, I recommend reading further on the topic using one of the innumerable documents publically available on the web.

    In short, this is normal and indicates that Module::Signature is working as it was designed.

    We will likely "disable" Module::Signature in future builds of cPanel, as there are several other "integrity" checks in place that make it a little redundant, and in an automated CPAN module install system, Module::Signature is a little difficult to get right (right meaning no messages or warnings). I've initiated some discussion on the matter with the CPAN folk, and time will tell if the system improves to the point were it's a practical solution for automated systems.

    Disabling Module::Signature manually is a bit "hackish", but here's the quick a dirty steps to do it on any of your systems:

    1. Locate the "Signature.pm" file for your system:
    Code:
    perl -MModule::Signature -le 'print $INC{"Module/Signature.pm"}'
    (this will print out the full path)

    2. Edit the module and convert the VERSION to "0.00" (example on my server, version number may differ on your system):
    Code:
    sed -ie 's/0\.52/0.00/' /usr/lib/perl5/site_perl/5.8.7/Module/Signature.pm
    You can also manually edit the file with any editor, however it is marked a readonly so you'll need to use your editor's command to force a save.

    That will effectively disable Module::Signature. If you mess up the module, or would like to restart using Module::Signature, then just run "/scripts/perlinstaller --force Module::Signature". HTH.
     
  3. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    Hi Ben,

    Thanks for the excellent and informative reply. I understand now :)

    I appreciate the tip re: disabling and may give it a try, but now that I understand what I am being told, I'm not nearly as concerned.
     
  4. edumadma

    edumadma Well-Known Member

    Joined:
    May 11, 2005
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    what to make ?

    # perl -MModule::Signature -le 'print $INC{"Module/Signature.pm"}'
    /usr/lib/perl5/site_perl/5.8.0/Module/Signature.pm
    #

    package Module::Signature;
    $Module::Signature::VERSION = '0.55';

    use 5.005;
    use strict;
    use vars qw($VERSION $SIGNATURE @ISA @EXPORT_OK);
    use vars qw($Preamble $Cipher $Debug $Verbose $Timeout);
    use vars qw($KeyServer $KeyServerPort $AutoKeyRetrieve $CanKeyRetrieve);
     
Loading...

Share This Page