Skip Menu |

This queue is for tickets about the Module-Signature CPAN distribution.

Report information
The Basics
Id: 100016
Status: new
Priority: 0/
Queue: Module-Signature

People
Owner: Nobody in particular
Requestors: CLOOS [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: Wishlist
Broken in: 0.73
Fixed in: (no value)



Subject: better (more secure) gpg module signing
Hi, regarding "OpenPGP Best Practices" [1] the hkps protocol should be used to retrieve keys. As the protocol (scheme) is hard coded in Module::Signature [2] you can't use a secured connection to retrieve keys. Is there any reason why Module::Signature at all pass a --keyserver option to gpg instead of using the keyserver from the gpg.conf? Also, Module::Signature use SHA1 as the default cipher [3] which is considered insecure for years. You should really switch to a more secure default cipher. Chris [1] https://help.riseup.net/it/security/message-security/openpgp/best-practices [2] https://metacpan.org/source/AUDREYT/Module-Signature-0.73/lib/Module/Signature.pm#L273-279 [3] https://metacpan.org/source/AUDREYT/Module-Signature-0.73/lib/Module/Signature.pm#L35