Subject: | 0.75 breaks CPAN.pm checksums file checking |
CPAN shell output follows up to EOSHELL
cpan[1]> test Module::Signature
Reading '/home/ftp/pub/PAUSE/authors/01mailrc.txt.gz'
............................................................................DONE
Reading '/home/ftp/pub/PAUSE/modules/02packages.details.txt.gz'
Database was generated on Tue, 07 Apr 2015 21:29:01 GMT
............................................................................DONE
Reading '/home/ftp/pub/PAUSE/modules/03modlist.data.gz'
DONE
Running test for module 'Module::Signature'
Executing gpg/--verify/--batch/--no-tty/--keyserver=hkp://pool.sks-keyservers.net:11371/--keyserver-options=auto-key-retrieve//tmp/NCJfTn7C9s
gpg: verify signatures failed: eof
Signature invalid for distribution file. Please investigate.
Distribution id = A/AU/AUDREYT/Module-Signature-0.75.tar.gz
CPAN_USERID AUDREYT (Audrey Tang <cpan@audreyt.org>)
CALLED_FOR Module::Signature
CHECKSUM_STATUS
CONTAINSMODS Module::Signature
localfile /home/ftp/pub/PAUSE/authors/id/A/AU/AUDREYT/Module-Signature-0.75.tar.gz
mandatory 1
negative_prefs_cache 1
prefs HASH(0x3ad42e0)
reqtype c
I'd recommend removing
/home/ftp/pub/PAUSE/authors/id/A/AU/AUDREYT/CHECKSUMS. Its signature
is invalid. Maybe you have configured your 'urllist' with
a bad URL. Please check this array with 'o conf urllist', and
retry.
EOSHELL
The file /tmp/NCJfTn7C9s is empty. Cpan shell calls Module::Signature::_verify($chk_file) directly (you remember?:) where $chk_file is the path to the CHECKSUMS file. This leads to _verify_gpg being called with an empty $sigtext argument.
There is this 'print $fh $sigtext;' in https://metacpan.org/source/AUDREYT/Module-Signature-0.75/lib/Module/Signature.pm#L252
I think it would be prudent for CPAN shell to not call an underscore function directly, but as far as I can see, there was never another way through Module::Signature::verify for the CHECKSUMS files, right?
Bottom line: I think I need help from within Module::Signature.
Cordially,