Using the --verify option on cpanm

[Abhijith Chandrashekar]

Hello,

 

I intend to use cpanm to download perl modules into a secure environment that is guarded by firewalls and have a couple of questions on how to do that.

 

a.       I want to be able to verify the perl module that has been downloaded by its signature. Cpanm provides an option for this called –verify, but the description for the option is a little ambiguous –

 

--verify

Verify the integrity of distribution files retrieved from PAUSE using CHECKSUMS and SIGNATURES (if found). Defaults to false.

It sounds like it means that the signature will be checked only if it is present. If the --verify option is used and the signature is missing, will the package be downloaded and installed nonetheless?

 

b.      How does one obtain the public key that is used to check these signatures? Is it installed along with cpanm?

 

Please let me know if this is not the appropriate mailing list to pose these questions. Appreciate any help.

 

Thanks,

Abhi

[Lars Dɪᴇᴄᴋᴏᴡ 迪拉斯]

> It sounds
> like it means that the signature will be checked only if it is
> present. If the --verify option is used and the signature is missing,
> will the package be downloaded and installed nonetheless?

Yes, and it works the same as the traditional CPAN client with signature
support enabled. Most distributions are not signed because it's an
optional feature. All distributions are checksummed by PAUSE.

> How does one obtain the public key that is used to check
> these signatures? Is it installed along with cpanm?

cpanminus just delegates to Module::Signature::_verify. This fetches the
public key via [HKP](http://enwp.org/OpenPGP_HTTP_Keyserver_Protocol).

[Abhijith Chandrashekar]

Thanks for the response Lars.

You said -

>>cpanminus just delegates to Module::Signature::_verify. This fetches the
public key via [HKP](http://enwp.org/OpenPGP_HTTP_Keyserver_Protocol)

Can you tell me where it fetches the public key from? Do you know if this
key server supports secured key requests over TLS?

On 7/17/14, 6:00 PM, "Lars Dɪᴇᴄᴋᴏᴡ 迪拉斯" <da...@cpan.org> wrote:

>http://enwp.org/OpenPGP_HTTP_Keyserver_Protocol

[Lars Dɪᴇᴄᴋᴏᴡ 迪拉斯]

> where it fetches the public key from?

From the configured
[SKS](http://enwp.org/Key_server_%28cryptographic%29#External_links):

$ ack ^keyserver ~/.gnupg/gpg.conf
keyserver hkp://keys.gnupg.net
keyserver-options auto-key-retrieve verbose no-include-revoked

It does not really matter. The servers sync their databases regularly.
The hostname keys.gnupg.net is a DNS round-robin pool.

> key server supports secured key requests over TLS?

No, that's pointless.

[Abhijith Chandrashekar]

Thanks once again. This might be a tangential discussion but can you tell
me why key requests over TLS are pointless? In building a secure
environment ground-up, ensuring that the basic infrastructure (public keys
et al) was pristine to begin with is a very important requirement. If the
key is served over http, it is possible that the base copy was mangled
with when it was first downloaded. Any perl modules that are later
verified with this potentially mangled public key become questionable
since we don’t know that the key was pristine to begin with. Please tell
me if I’m understanding this incorrectly.

Abhijith

[Abhijith Chandrashekar]

Hello,

I haven’t heard any response regarding this.. Just wanted to bring it back
to the forefront and check if anyone knew about the reason why secured key
requests aren’t provisioned?

Thanks,
Abhijith

On 7/20/14, 4:58 PM, "Abhijith Chandrashekar"