Skip Menu |

This queue is for tickets about the Module-Signature CPAN distribution.

Report information
The Basics
Id: 103369
Status: open
Worked: 5 min
Priority: 0/
Queue: Module-Signature

People
Owner: Nobody in particular
Requestors: ANDK [...] cpan.org
KENTNL [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in:
  • 0.75
  • 0.76
  • 0.77
Fixed in: (no value)



Subject: 0.75 breaks CPAN.pm checksums file checking
CPAN shell output follows up to EOSHELL cpan[1]> test Module::Signature Reading '/home/ftp/pub/PAUSE/authors/01mailrc.txt.gz' ............................................................................DONE Reading '/home/ftp/pub/PAUSE/modules/02packages.details.txt.gz' Database was generated on Tue, 07 Apr 2015 21:29:01 GMT ............................................................................DONE Reading '/home/ftp/pub/PAUSE/modules/03modlist.data.gz' DONE Running test for module 'Module::Signature' Executing gpg/--verify/--batch/--no-tty/--keyserver=hkp://pool.sks-keyservers.net:11371/--keyserver-options=auto-key-retrieve//tmp/NCJfTn7C9s gpg: verify signatures failed: eof Signature invalid for distribution file. Please investigate. Distribution id = A/AU/AUDREYT/Module-Signature-0.75.tar.gz CPAN_USERID AUDREYT (Audrey Tang <cpan@audreyt.org>) CALLED_FOR Module::Signature CHECKSUM_STATUS CONTAINSMODS Module::Signature localfile /home/ftp/pub/PAUSE/authors/id/A/AU/AUDREYT/Module-Signature-0.75.tar.gz mandatory 1 negative_prefs_cache 1 prefs HASH(0x3ad42e0) reqtype c I'd recommend removing /home/ftp/pub/PAUSE/authors/id/A/AU/AUDREYT/CHECKSUMS. Its signature is invalid. Maybe you have configured your 'urllist' with a bad URL. Please check this array with 'o conf urllist', and retry. EOSHELL The file /tmp/NCJfTn7C9s is empty. Cpan shell calls Module::Signature::_verify($chk_file) directly (you remember?:) where $chk_file is the path to the CHECKSUMS file. This leads to _verify_gpg being called with an empty $sigtext argument. There is this 'print $fh $sigtext;' in https://metacpan.org/source/AUDREYT/Module-Signature-0.75/lib/Module/Signature.pm#L252 I think it would be prudent for CPAN shell to not call an underscore function directly, but as far as I can see, there was never another way through Module::Signature::verify for the CHECKSUMS files, right? Bottom line: I think I need help from within Module::Signature. Cordially,
Attached patch seems to do it.
Subject: 103359.diff
--- ../Module-Signature-0.75-0/lib/Module/Signature.pm 2015-04-06 22:56:55.000000000 +0200 +++ lib/Module/Signature.pm 2015-04-08 02:18:30.754037252 +0200 @@ -249,7 +249,7 @@ require File::Temp; my $fh = File::Temp->new(); - print $fh $sigtext; + print $fh $sigtext || _read_sigfile($SIGNATURE); close $fh; my $gpg = _which_gpg();

Still broken as stated above in 0.77 under cpanm which also fails in the same way for every dist.

Patch by ANDK resolves this issue so far.

Fixed in 0.78. Thanks for the patch and sorry for the breakage!