| Module Info
| Add a review of Module-Signature
I used to use this module until I started to get nonsense fail reports related to \r\n line endings. I've finally got rid of this module from all of my distributions and I don't suggest anyone to use this. I see that \r\n is *still* a problem after all these years: rt.cpan.org/Public/Bug/Display.html?i...
Also see this thread for a discussion on the "security" check this module claims to do: email@example.com...
Not worth the trouble.
This is just a short note that 0.54 has been released, which should solve the CR/LF problems Robert raised, as well as make the 0-signature.t template opt-in from the user by setting TEST_SIGNATURE environment variable.
After some ongoing bad experiences with this module, I really needed to edit my review and lower the rating.
This *should* be an important tool for verifying that distributions aren't tampered with. But the security value is limited, especially in an automated or partially-automated (CPANPLUS) environment.
It only checks that a signature is good, but does nothing to enforce that the key belongs to the author associated with the module, nor is there an option for it to enfore that the key used to sign the distribution is in a web of trust.
It has problems with end-of-line conventions when files are shared between Windows and Unix. So signatures sometimes fail for text files when checked on platforms with different end-of-line conventions. So builds fail...
It also inherits problems from GnuPG. GnuPG is unable to request subkeys from keyservers. But that's ok since some keyservers mangle subkeys anyway. But Module::Signature will let you sign a module with a subkey. Ooops.
So in order for my modules to be useful to a (important) segment of users, then I have to disable module signatures in the distribution.
It's rather sad, but a lot of work has been put into an illusion of security.
Module::Signature is an important tool for authenticating the contents of CPAN distributions. Its ease-of-use demonstrates that good security doesn't have to be inconvenient.
Some argue that Module::Signature is redundant, since the CPAN shell authenticates all downloaded distributions against the CHECKSUMS file signed by PAUSE. Unfortunately, this neglects the fact that many (if not most) CPAN users download their modules in an ad-hoc fashion using web links rather than the CPAN shell. In such cases, the SIGNATURE file provides a much-needed safety net.
Nonetheless, the first reviewer makes a very good point: Module::Signature makes no effort to verify that the key in the SIGNATURE file belongs to the actual module author (presumably, the person who checked the module into PAUSE). One hopes that Module::Signature will eventually address this point, perhaps by adding a step to authenticate the SIGNATURE file against the one listed in the CHECKSUMS file signed by PAUSE.
Though not absolutely perfect, Module::Signature is an excellent start to establishing a practical web of trust for the Perl community.
This is a great module, and is especially useful when coupled with
the signature.t recommened in the documentation.