Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Perl module installation via CPAN and signature error
32 views
Skip to first unread message
Vincent Lefevre
Jan 11, 2024, 6:00:07 PM1/11/24
to
Hi,
I have 2 Debian/unstable machines on the same network, with the
same .cpan/CPAN/MyConfig.pm file.
On one of them, I get no errors:
qaa:~> cpan -i XML::RPC
CPAN: HTTP::Tiny loaded ok (v0.086)
CPAN: Net::SSLeay loaded ok (v1.92)
CPAN: IO::Socket::SSL loaded ok (v2.084)
Fetching with HTTP::Tiny:
https://cpan.org/authors/01mailrc.txt.gz
Reading '/home/vinc17/.cpan/sources/authors/01mailrc.txt.gz'
CPAN: Compress::Zlib loaded ok (v2.204)
............................................................................DONE
Fetching with HTTP::Tiny:
https://cpan.org/modules/02packages.details.txt.gz
Reading '/home/vinc17/.cpan/sources/modules/02packages.details.txt.gz'
Database was generated on Thu, 11 Jan 2024 21:54:02 GMT
CPAN: HTTP::Date loaded ok (v6.06)
............................................................................DONE
Fetching with HTTP::Tiny:
https://cpan.org/modules/03modlist.data.gz
Reading '/home/vinc17/.cpan/sources/modules/03modlist.data.gz'
DONE
Writing /home/vinc17/.cpan/Metadata
Running install for module 'XML::RPC'
Fetching with HTTP::Tiny:
https://cpan.org/authors/id/C/CA/CAVAC/XML-RPC-2.tar.gz
CPAN: Digest::SHA loaded ok (v6.04)
Fetching with HTTP::Tiny:
https://cpan.org/authors/id/C/CA/CAVAC/CHECKSUMS
CPAN: Module::Signature loaded ok (v0.88)
WARNING: This key is not certified with a trusted signature!
Primary key fingerprint: 2E66 557A B97C 19C7 91AF 8E20 328D A867 450F 89EC
Signature for /home/vinc17/.cpan/sources/authors/id/C/CA/CAVAC/CHECKSUMS ok
Checksum for /home/vinc17/.cpan/sources/authors/id/C/CA/CAVAC/XML-RPC-2.tar.gz ok
Package came without SIGNATURE
CPAN: YAML loaded ok (v1.31)
[...]
CAVAC/XML-RPC-2.tar.gz
/bin/make install -- OK
But on the other one (an older machine), I get an error:
zira:~> cpan -i XML::RPC
CPAN: HTTP::Tiny loaded ok (v0.086)
CPAN: Net::SSLeay loaded ok (v1.92)
CPAN: IO::Socket::SSL loaded ok (v2.084)
Fetching with HTTP::Tiny:
https://cpan.org/authors/01mailrc.txt.gz
Reading '/home/vinc17/.cpan/sources/authors/01mailrc.txt.gz'
CPAN: Compress::Zlib loaded ok (v2.206)
............................................................................DONE
Fetching with HTTP::Tiny:
https://cpan.org/modules/02packages.details.txt.gz
Reading '/home/vinc17/.cpan/sources/modules/02packages.details.txt.gz'
Database was generated on Thu, 11 Jan 2024 21:54:02 GMT
CPAN: HTTP::Date loaded ok (v6.06)
............................................................................DONE
Fetching with HTTP::Tiny:
https://cpan.org/modules/03modlist.data.gz
Reading '/home/vinc17/.cpan/sources/modules/03modlist.data.gz'
DONE
Writing /home/vinc17/.cpan/Metadata
Running install for module 'XML::RPC'
Fetching with HTTP::Tiny:
https://cpan.org/authors/id/C/CA/CAVAC/XML-RPC-2.tar.gz
CPAN: Digest::SHA loaded ok (v6.04)
Fetching with HTTP::Tiny:
https://cpan.org/authors/id/C/CA/CAVAC/CHECKSUMS
CPAN: Module::Signature loaded ok (v0.88)
gpg: Signature made 2023-12-17T16:29:09 CET
gpg: using RSA key 77576125A905F1BA
gpg: Can't check signature: No public key
Signature for file /home/vinc17/.cpan/sources/authors/id/C/CA/CAVAC/CHECKSUMS could not be verified for an unknown reason. Distribution id = C/CA/CAVAC/XML-RPC-2.tar.gz
CPAN_USERID CAVAC (Rene Schickbauer <ca...@cpan.org>)
CALLED_FOR XML::RPC
CHECKSUM_STATUS
CONTAINSMODS XML::RPC
UPLOAD_DATE 2022-03-09
incommandcolor 1
localfile /home/vinc17/.cpan/sources/authors/id/C/CA/CAVAC/XML-RPC-2.tar.gz
mandatory 1
negative_prefs_cache 0
prefs HASH(0x55eef7851f20)
reqtype c
Module::Signature verification returned value 0E0
The manual says for this case: Cannot verify the
OpenPGP signature, maybe due to the lack of a network connection to
the key server, or if neither gnupg nor Crypt::OpenPGP exists on the
system. You probably want to analyse the situation and if you cannot
fix it you will have to decide whether you want to stop this session
or you want to turn off signature verification. The latter would be
done with the command 'o conf init check_sigs'
----
Note that every public key given by "gpg --list-public-keys" on qaa
are on zira too.
Where does the problem come from?
--
Vincent Lefèvre <vin...@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
I have 2 Debian/unstable machines on the same network, with the
same .cpan/CPAN/MyConfig.pm file.
On one of them, I get no errors:
qaa:~> cpan -i XML::RPC
CPAN: HTTP::Tiny loaded ok (v0.086)
CPAN: Net::SSLeay loaded ok (v1.92)
CPAN: IO::Socket::SSL loaded ok (v2.084)
Fetching with HTTP::Tiny:
https://cpan.org/authors/01mailrc.txt.gz
Reading '/home/vinc17/.cpan/sources/authors/01mailrc.txt.gz'
CPAN: Compress::Zlib loaded ok (v2.204)
............................................................................DONE
Fetching with HTTP::Tiny:
https://cpan.org/modules/02packages.details.txt.gz
Reading '/home/vinc17/.cpan/sources/modules/02packages.details.txt.gz'
Database was generated on Thu, 11 Jan 2024 21:54:02 GMT
CPAN: HTTP::Date loaded ok (v6.06)
............................................................................DONE
Fetching with HTTP::Tiny:
https://cpan.org/modules/03modlist.data.gz
Reading '/home/vinc17/.cpan/sources/modules/03modlist.data.gz'
DONE
Writing /home/vinc17/.cpan/Metadata
Running install for module 'XML::RPC'
Fetching with HTTP::Tiny:
https://cpan.org/authors/id/C/CA/CAVAC/XML-RPC-2.tar.gz
CPAN: Digest::SHA loaded ok (v6.04)
Fetching with HTTP::Tiny:
https://cpan.org/authors/id/C/CA/CAVAC/CHECKSUMS
CPAN: Module::Signature loaded ok (v0.88)
WARNING: This key is not certified with a trusted signature!
Primary key fingerprint: 2E66 557A B97C 19C7 91AF 8E20 328D A867 450F 89EC
Signature for /home/vinc17/.cpan/sources/authors/id/C/CA/CAVAC/CHECKSUMS ok
Checksum for /home/vinc17/.cpan/sources/authors/id/C/CA/CAVAC/XML-RPC-2.tar.gz ok
Package came without SIGNATURE
CPAN: YAML loaded ok (v1.31)
[...]
CAVAC/XML-RPC-2.tar.gz
/bin/make install -- OK
But on the other one (an older machine), I get an error:
zira:~> cpan -i XML::RPC
CPAN: HTTP::Tiny loaded ok (v0.086)
CPAN: Net::SSLeay loaded ok (v1.92)
CPAN: IO::Socket::SSL loaded ok (v2.084)
Fetching with HTTP::Tiny:
https://cpan.org/authors/01mailrc.txt.gz
Reading '/home/vinc17/.cpan/sources/authors/01mailrc.txt.gz'
CPAN: Compress::Zlib loaded ok (v2.206)
............................................................................DONE
Fetching with HTTP::Tiny:
https://cpan.org/modules/02packages.details.txt.gz
Reading '/home/vinc17/.cpan/sources/modules/02packages.details.txt.gz'
Database was generated on Thu, 11 Jan 2024 21:54:02 GMT
CPAN: HTTP::Date loaded ok (v6.06)
............................................................................DONE
Fetching with HTTP::Tiny:
https://cpan.org/modules/03modlist.data.gz
Reading '/home/vinc17/.cpan/sources/modules/03modlist.data.gz'
DONE
Writing /home/vinc17/.cpan/Metadata
Running install for module 'XML::RPC'
Fetching with HTTP::Tiny:
https://cpan.org/authors/id/C/CA/CAVAC/XML-RPC-2.tar.gz
CPAN: Digest::SHA loaded ok (v6.04)
Fetching with HTTP::Tiny:
https://cpan.org/authors/id/C/CA/CAVAC/CHECKSUMS
CPAN: Module::Signature loaded ok (v0.88)
gpg: Signature made 2023-12-17T16:29:09 CET
gpg: using RSA key 77576125A905F1BA
gpg: Can't check signature: No public key
Signature for file /home/vinc17/.cpan/sources/authors/id/C/CA/CAVAC/CHECKSUMS could not be verified for an unknown reason. Distribution id = C/CA/CAVAC/XML-RPC-2.tar.gz
CPAN_USERID CAVAC (Rene Schickbauer <ca...@cpan.org>)
CALLED_FOR XML::RPC
CHECKSUM_STATUS
CONTAINSMODS XML::RPC
UPLOAD_DATE 2022-03-09
incommandcolor 1
localfile /home/vinc17/.cpan/sources/authors/id/C/CA/CAVAC/XML-RPC-2.tar.gz
mandatory 1
negative_prefs_cache 0
prefs HASH(0x55eef7851f20)
reqtype c
Module::Signature verification returned value 0E0
The manual says for this case: Cannot verify the
OpenPGP signature, maybe due to the lack of a network connection to
the key server, or if neither gnupg nor Crypt::OpenPGP exists on the
system. You probably want to analyse the situation and if you cannot
fix it you will have to decide whether you want to stop this session
or you want to turn off signature verification. The latter would be
done with the command 'o conf init check_sigs'
----
Note that every public key given by "gpg --list-public-keys" on qaa
are on zira too.
Where does the problem come from?
--
Vincent Lefèvre <vin...@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Vincent Lefevre
Jan 11, 2024, 7:10:06 PM1/11/24
to
With strace, I could see the command that was executed:
gpg --verify --batch --no-tty -q --logger-fd=1 --keyserver=hkp://pool.sks-keyservers.net:11371
on a temporary file, but almost equivalent to the CHECKSUMS file.
Now, I can try that directly:
qaa:~> gpg --verify --batch --no-tty -q --logger-fd=1 --keyserver=hkp://pool.sks-keyservers.net:11371 /home/vinc17/.cpan/sources/authors/id/C/CA/CAVAC/CHECKSUMS
gpg: aka "PAUSE Batch Signing Key 2023 <pa...@pause.perl.org>" [unknown]
gpg: aka "PAUSE Batch Signing Key 2003 <pa...@pause.perl.org>" [unknown]
gpg: aka "PAUSE Batch Signing Key 2005 <pa...@pause.perl.org>" [unknown]
gpg: aka "PAUSE Batch Signing Key 2007 <pa...@pause.perl.org>" [unknown]
gpg: aka "PAUSE Batch Signing Key 2009 <pa...@pause.perl.org>" [unknown]
gpg: aka "PAUSE Batch Signing Key 2015 <pa...@pause.perl.org>" [unknown]
gpg: aka "PAUSE Batch Signing Key 2017 <pa...@pause.perl.org>" [unknown]
gpg: aka "PAUSE Batch Signing Key 2019 <pa...@pause.perl.org>" [unknown]
gpg: aka "PAUSE Batch Signing Key 2021 <pa...@pause.perl.org>" [unknown]
gpg: aka "PAUSE Batch Signing Key 2022 <pa...@pause.perl.org>" [unknown]
gpg: aka "PAUSE Batch Signing Key 2011 <pa...@pause.perl.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
but
zira:~> gpg --verify --batch --no-tty -q --logger-fd=1 --keyserver=hkp://pool.sks-keyservers.net:11371 /home/vinc17/.cpan/sources/authors/id/C/CA/CAVAC/CHECKSUMS
qaa:~> gpg --with-subkey-fingerprint -k 2E66557AB97C19C791AF8E20328DA867450F89EC
pub dsa1024 2003-02-03 [SC] [expires: 2024-07-01]
2E66557AB97C19C791AF8E20328DA867450F89EC
uid [ unknown] PAUSE Batch Signing Key 2024 <pa...@pause.perl.org>
uid [ unknown] PAUSE Batch Signing Key 2023 <pa...@pause.perl.org>
uid [ unknown] PAUSE Batch Signing Key 2003 <pa...@pause.perl.org>
uid [ unknown] PAUSE Batch Signing Key 2005 <pa...@pause.perl.org>
uid [ unknown] PAUSE Batch Signing Key 2007 <pa...@pause.perl.org>
uid [ unknown] PAUSE Batch Signing Key 2009 <pa...@pause.perl.org>
uid [ unknown] PAUSE Batch Signing Key 2015 <pa...@pause.perl.org>
uid [ unknown] PAUSE Batch Signing Key 2017 <pa...@pause.perl.org>
uid [ unknown] PAUSE Batch Signing Key 2019 <pa...@pause.perl.org>
uid [ unknown] PAUSE Batch Signing Key 2021 <pa...@pause.perl.org>
uid [ unknown] PAUSE Batch Signing Key 2022 <pa...@pause.perl.org>
uid [ unknown] PAUSE Batch Signing Key 2011 <pa...@pause.perl.org>
sub elg2048 2023-07-01 [E] [expires: 2024-07-01]
4CA09107D9A3E6E61960A61C41C01F6387982F09
sub rsa4096 2023-07-01 [S] [expires: 2024-07-01]
D7857544389C919D8E6DABBA77576125A905F1BA
zira:~> gpg --with-subkey-fingerprint -k 2E66557AB97C19C791AF8E20328DA867450F89EC
pub dsa1024 2003-02-03 [SC] [expired: 2023-07-01]
2E66557AB97C19C791AF8E20328DA867450F89EC
uid [ expired] PAUSE Batch Signing Key 2023 <pa...@pause.perl.org>
uid [ expired] PAUSE Batch Signing Key 2003 <pa...@pause.perl.org>
uid [ expired] PAUSE Batch Signing Key 2005 <pa...@pause.perl.org>
uid [ expired] PAUSE Batch Signing Key 2007 <pa...@pause.perl.org>
uid [ expired] PAUSE Batch Signing Key 2009 <pa...@pause.perl.org>
uid [ expired] PAUSE Batch Signing Key 2011 <pa...@pause.perl.org>
uid [ expired] PAUSE Batch Signing Key 2015 <pa...@pause.perl.org>
uid [ expired] PAUSE Batch Signing Key 2017 <pa...@pause.perl.org>
uid [ expired] PAUSE Batch Signing Key 2022 <pa...@pause.perl.org>
uid [ expired] PAUSE Batch Signing Key 2019 <pa...@pause.perl.org>
uid [ expired] PAUSE Batch Signing Key 2021 <pa...@pause.perl.org>
i.e. the subkeys are missing. Why?
Note that on zira, doing
gpg --recv-keys 2E66557AB97C19C791AF8E20328DA867450F89EC
again doesn't change anything.
gpg --verify --batch --no-tty -q --logger-fd=1 --keyserver=hkp://pool.sks-keyservers.net:11371
on a temporary file, but almost equivalent to the CHECKSUMS file.
Now, I can try that directly:
qaa:~> gpg --verify --batch --no-tty -q --logger-fd=1 --keyserver=hkp://pool.sks-keyservers.net:11371 /home/vinc17/.cpan/sources/authors/id/C/CA/CAVAC/CHECKSUMS
gpg: Signature made 2023-12-17T16:29:09 CET
gpg: using RSA key 77576125A905F1BA
gpg: Good signature from "PAUSE Batch Signing Key 2024 <pa...@pause.perl.org>" [unknown]
gpg: using RSA key 77576125A905F1BA
gpg: aka "PAUSE Batch Signing Key 2023 <pa...@pause.perl.org>" [unknown]
gpg: aka "PAUSE Batch Signing Key 2003 <pa...@pause.perl.org>" [unknown]
gpg: aka "PAUSE Batch Signing Key 2005 <pa...@pause.perl.org>" [unknown]
gpg: aka "PAUSE Batch Signing Key 2007 <pa...@pause.perl.org>" [unknown]
gpg: aka "PAUSE Batch Signing Key 2009 <pa...@pause.perl.org>" [unknown]
gpg: aka "PAUSE Batch Signing Key 2015 <pa...@pause.perl.org>" [unknown]
gpg: aka "PAUSE Batch Signing Key 2017 <pa...@pause.perl.org>" [unknown]
gpg: aka "PAUSE Batch Signing Key 2019 <pa...@pause.perl.org>" [unknown]
gpg: aka "PAUSE Batch Signing Key 2021 <pa...@pause.perl.org>" [unknown]
gpg: aka "PAUSE Batch Signing Key 2022 <pa...@pause.perl.org>" [unknown]
gpg: aka "PAUSE Batch Signing Key 2011 <pa...@pause.perl.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2E66 557A B97C 19C7 91AF 8E20 328D A867 450F 89EC
Subkey fingerprint: D785 7544 389C 919D 8E6D ABBA 7757 6125 A905 F1BA
but
zira:~> gpg --verify --batch --no-tty -q --logger-fd=1 --keyserver=hkp://pool.sks-keyservers.net:11371 /home/vinc17/.cpan/sources/authors/id/C/CA/CAVAC/CHECKSUMS
gpg: Signature made 2023-12-17T16:29:09 CET
gpg: using RSA key 77576125A905F1BA
gpg: Can't check signature: No public key
I can notice a difference between these two machines:
gpg: using RSA key 77576125A905F1BA
gpg: Can't check signature: No public key
qaa:~> gpg --with-subkey-fingerprint -k 2E66557AB97C19C791AF8E20328DA867450F89EC
pub dsa1024 2003-02-03 [SC] [expires: 2024-07-01]
2E66557AB97C19C791AF8E20328DA867450F89EC
uid [ unknown] PAUSE Batch Signing Key 2024 <pa...@pause.perl.org>
uid [ unknown] PAUSE Batch Signing Key 2023 <pa...@pause.perl.org>
uid [ unknown] PAUSE Batch Signing Key 2003 <pa...@pause.perl.org>
uid [ unknown] PAUSE Batch Signing Key 2005 <pa...@pause.perl.org>
uid [ unknown] PAUSE Batch Signing Key 2007 <pa...@pause.perl.org>
uid [ unknown] PAUSE Batch Signing Key 2009 <pa...@pause.perl.org>
uid [ unknown] PAUSE Batch Signing Key 2015 <pa...@pause.perl.org>
uid [ unknown] PAUSE Batch Signing Key 2017 <pa...@pause.perl.org>
uid [ unknown] PAUSE Batch Signing Key 2019 <pa...@pause.perl.org>
uid [ unknown] PAUSE Batch Signing Key 2021 <pa...@pause.perl.org>
uid [ unknown] PAUSE Batch Signing Key 2022 <pa...@pause.perl.org>
uid [ unknown] PAUSE Batch Signing Key 2011 <pa...@pause.perl.org>
sub elg2048 2023-07-01 [E] [expires: 2024-07-01]
4CA09107D9A3E6E61960A61C41C01F6387982F09
sub rsa4096 2023-07-01 [S] [expires: 2024-07-01]
D7857544389C919D8E6DABBA77576125A905F1BA
zira:~> gpg --with-subkey-fingerprint -k 2E66557AB97C19C791AF8E20328DA867450F89EC
pub dsa1024 2003-02-03 [SC] [expired: 2023-07-01]
2E66557AB97C19C791AF8E20328DA867450F89EC
uid [ expired] PAUSE Batch Signing Key 2023 <pa...@pause.perl.org>
uid [ expired] PAUSE Batch Signing Key 2003 <pa...@pause.perl.org>
uid [ expired] PAUSE Batch Signing Key 2005 <pa...@pause.perl.org>
uid [ expired] PAUSE Batch Signing Key 2007 <pa...@pause.perl.org>
uid [ expired] PAUSE Batch Signing Key 2009 <pa...@pause.perl.org>
uid [ expired] PAUSE Batch Signing Key 2011 <pa...@pause.perl.org>
uid [ expired] PAUSE Batch Signing Key 2015 <pa...@pause.perl.org>
uid [ expired] PAUSE Batch Signing Key 2017 <pa...@pause.perl.org>
uid [ expired] PAUSE Batch Signing Key 2022 <pa...@pause.perl.org>
uid [ expired] PAUSE Batch Signing Key 2019 <pa...@pause.perl.org>
uid [ expired] PAUSE Batch Signing Key 2021 <pa...@pause.perl.org>
i.e. the subkeys are missing. Why?
Note that on zira, doing
gpg --recv-keys 2E66557AB97C19C791AF8E20328DA867450F89EC
again doesn't change anything.
0 new messages