|
|
Module::Signature - Module signature file manipulation
This document describes version 0.54 of Module::Signature, released May 12, 2006.
As a shell command:
% cpansign # verify an existing SIGNATURE, or # make a new one if none exists
% cpansign sign # make signature; overwrites existing one % cpansign -s # same thing
% cpansign verify # verify a signature % cpansign -v # same thing % cpansign -v --skip # ignore files in MANIFEST.SKIP
% cpansign help # display this documentation % cpansign -h # same thing
In programs:
use Module::Signature qw(sign verify SIGNATURE_OK); sign(); sign(overwrite => 1); # overwrites without asking
# see the CONSTANTS section below (verify() == SIGNATURE_OK) or die "failed!";
Module::Signature adds cryptographic authentications to CPAN distributions, via the special SIGNATURE file.
If you are a module user, all you have to do is to remember to run
cpansign -v
(or just cpansign
) before issuing perl Makefile.PL
or perl Build.PL
; that will ensure the distribution has not been
tampered with.
Module authors can easily add the SIGNATURE file to the distribution
tarball; see NOTES below for how to do it as part of make dist
.
If you really want to sign a distribution manually, simply add
SIGNATURE
to MANIFEST, then type cpansign -s
immediately
before make dist
. Be sure to delete the SIGNATURE file afterwards.
Please also see NOTES about MANIFEST.SKIP issues, especially if you are using Module::Build or writing your own MANIFEST.SKIP.
No package variables are exported by default.
If true, Module::Signature will give information during processing including gpg output. If false, Module::Signature will be as quiet as possible as long as everything is working ok. Defaults to false.
The filename for a distribution's signature file. Defaults to
SIGNATURE
.
The OpenPGP key server for fetching the author's public key
(currently only implemented on gpg
, not Crypt::OpenPGP
).
May be set to a false value to prevent this module from
fetching public keys.
The OpenPGP key server port, defaults to 11371
.
Maximum time to wait to try to establish a link to the key server.
Defaults to 3
.
Whether to automatically fetch unknown keys from the key server.
Defaults to 1
.
The default cipher used by the Digest
module to make signature
files. Defaults to SHA1
, but may be changed to other ciphers
via the MODULE_SIGNATURE_CIPHER
environment variable if the SHA1
cipher is undesirable for the user.
The cipher specified in the SIGNATURE file's first entry will
be used to validate its integrity. For SHA1
, the user needs
to have any one of these four modules installed: Digest::SHA,
Digest::SHA1, Digest::SHA::PurePerl, or (currently nonexistent)
Digest::SHA1::PurePerl.
The explanatory text written to newly generated SIGNATURE files before the actual entries.
Module::Signature honors these environment variables:
Works like $Cipher
.
Works like $Verbose
.
Works like $KeyServer
.
Works like $KeyServerPort
.
Works like $Timeout
.
These constants are not exported by default.
0E0
)
Cannot verify the OpenPGP signature, maybe due to the lack of a network connection to the key server, or if neither gnupg nor Crypt::OpenPGP exists on the system.
0
)
Signature successfully verified.
-1
)
The SIGNATURE file does not exist.
-2
)
The signature file does not contains a valid OpenPGP message.
-3
)
Invalid signature detected -- it might have been tampered with.
-4
)
The signature is valid, but files in the distribution have changed since its creation.
-5
)
There are extra files in the current directory not specified by the MANIFEST file.
-6
)
The cipher used by the signature file is not recognized by the
Digest
and Digest::*
modules.
make dist
The easiest way is to use Module::Install:
sign; # put this before "WriteAll" WriteAll;
For ExtUtils::MakeMaker (version 6.18 or above), you may do this:
WriteMakefile( (MM->can('signature_target') ? (SIGN => 1) : ()), # ... original arguments ... );
Users of Module::Build may do this:
Module::Build->new( (sign => 1), # ... original arguments ... )->create_build_script;
(The following section is lifted from Iain Truskett's Test::Signature module, under the Perl license. Thanks, Iain!)
It is imperative that your MANIFEST and MANIFEST.SKIP files be
accurate and complete. If you are using ExtUtils::MakeMaker
and you
do not have a MANIFEST.SKIP file, then don't worry about the rest of
this. If you do have a MANIFEST.SKIP file, or you use
Module::Build
, you must read this.
Since the test is run at make test
time, the distribution has been
made. Thus your MANIFEST.SKIP file should have the entries listed
below.
If you're using ExtUtils::MakeMaker
, you should have, at least:
#defaults ^Makefile$ ^blib/ ^pm_to_blib ^blibdirs
These entries are part of the default set provided by
ExtUtils::Manifest
, which is ignored if you provide your own
MANIFEST.SKIP file.
If you are using Module::Build
, you should have two extra entries:
^Build$ ^_build/
If you don't have the correct entries, Module::Signature
will
complain that you have:
==> MISMATCHED content between MANIFEST and distribution files! <==
You should note this during normal development testing anyway.
You may add this code as t/0-signature.t in your distribution tree:
#!/usr/bin/perl
use strict; print "1..1\n";
if (!$ENV{TEST_SIGNATURE}) { print "ok 1 # skip Set the environment variable", " TEST_SIGNATURE to enable this test\n"; } elsif (!-s 'SIGNATURE') { print "ok 1 # skip No signature file found\n"; } elsif (!eval { require Module::Signature; 1 }) { print "ok 1 # skip ", "Next time around, consider install Module::Signature, ", "so you can verify the integrity of this distribution.\n"; } elsif (!eval { require Socket; Socket::inet_aton('pgp.mit.edu') }) { print "ok 1 # skip ", "Cannot connect to the keyserver\n"; } else { (Module::Signature::verify() == Module::Signature::SIGNATURE_OK()) or print "not "; print "ok 1 # Valid signature\n"; }
__END__
If you are already using Test::More for testing, a more straightforward version of t/0-signature.t can be found in the Module::Signature distribution.
Also, if you prefer a more full-fledged testing package, and are willing to inflict the dependency of Module::Build on your users, Iain Truskett's Test::Signature might be a better choice.
the Digest manpage, the Digest::SHA manpage, the Digest::SHA1 manpage, the Digest::SHA::PurePerl manpage
the ExtUtils::Manifest manpage, the Crypt::OpenPGP manpage, the Test::Signature manpage
the Module::Install manpage, the ExtUtils::MakeMaker manpage, the Module::Build manpage
Audrey Tang <cpan@audreyt.org>
Copyright 2002-2006 by Audrey Tang <cpan@audreyt.org>.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the ``Software''), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is fur- nished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED ``AS IS'', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FIT- NESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.