Subject: | better (more secure) gpg module signing |
Hi,
regarding "OpenPGP Best Practices" [1] the hkps protocol should be used to retrieve keys. As the protocol (scheme) is hard coded in Module::Signature [2] you can't use a secured connection to retrieve keys.
Is there any reason why Module::Signature at all pass a --keyserver option to gpg instead of using the keyserver from the gpg.conf?
Also, Module::Signature use SHA1 as the default cipher [3] which is considered insecure for years. You should really switch to a more secure default cipher.
Chris
[1] https://help.riseup.net/it/security/message-security/openpgp/best-practices
[2] https://metacpan.org/source/AUDREYT/Module-Signature-0.73/lib/Module/Signature.pm#L273-279
[3] https://metacpan.org/source/AUDREYT/Module-Signature-0.73/lib/Module/Signature.pm#L35