Bug #118209 for Image-Info: Signature cannot be verified

Sat Oct 01 11:54:55 2016 ANDK [...] cpan.org - Ticket created

gpg: Signature made Sat Oct 1 17:34:31 2016 CEST gpg: using RSA key BF640CDA37065F8D gpg: requesting key BF640CDA37065F8D from hkp server pool.sks-keyservers.net gpg: Can't check signature: No public key ==> BAD/TAMPERED signature detected! <== Signature invalid for distribution file. Please investigate. I'd recommend removing /home/ftp/pub/PAUSE/authors/id/S/SR/SREZIC/Image-Info-1.38_50.tar.gz. Some error occurred while checking its signature, so it could be invalid. Maybe you have configured your 'urllist' with a bad URL. Please check this array with 'o conf urllist' and retry. Or examine the distribution in a subshell. Try look SREZIC/Image-Info-1.38_50.tar.gz and run cpansign -v SREZIC/Image-Info-1.38_50.tar.gz Did not pass the signature test. Is the key uploaded elsewhere?

Sat Oct 01 12:05:06 2016 SREZIC [...] cpan.org - Correspondence added

On 2016-10-01 11:54:55, ANDK wrote: Show quoted text

> gpg: Signature made Sat Oct 1 17:34:31 2016 CEST > gpg: using RSA key BF640CDA37065F8D > gpg: requesting key BF640CDA37065F8D from hkp server pool.sks-keyservers.net > gpg: Can't check signature: No public key > ==> BAD/TAMPERED signature detected! <== > > Signature invalid for distribution file. Please investigate. > > I'd recommend removing > /home/ftp/pub/PAUSE/authors/id/S/SR/SREZIC/Image-Info-1.38_50.tar.gz. Some > error occurred while checking its signature, so it could be > invalid. Maybe you have configured your 'urllist' with a bad > URL. Please check this array with 'o conf urllist' and retry. Or > examine the distribution in a subshell. Try > look SREZIC/Image-Info-1.38_50.tar.gz > and run > cpansign -v > SREZIC/Image-Info-1.38_50.tar.gz > Did not pass the signature test. > > > > Is the key uploaded elsewhere?

Hmmm... 16:03 cpansand@eserte (..age-Info-1.38_50-0): cpansign -v Executing gpg --verify --batch --no-tty --keyserver=hkp://pool.sks-keyservers.net:11371 --keyserver-options=auto-key-retrieve /tmp/jfP1MXvsHq gpg: Signature made Sat Oct 1 15:34:31 2016 UTC using RSA key ID 37065F8D gpg: Good signature from "Slaven Rezic <srezic@cpan.org>" gpg: aka "eserte@de.freebsd.org" gpg: aka "Slaven Rezic <slaven@rezic.de>" gpg: aka "Slaven Rezic <eserte@cs.tu-berlin.de>" gpg: aka "Slaven Rezic <eserte@users.sourceforge.net>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 37 70 2A BB A3 2C 35 A7 10 D3 40 E8 4B A1 D4 5E ==> Signature verified OK! <==

Sat Oct 01 12:05:06 2016 The RT System itself - Status changed from 'new' to 'open'

Sat Oct 01 12:07:39 2016 SREZIC [...] cpan.org - Correspondence added

On 2016-10-01 12:05:06, SREZIC wrote: Show quoted text

> On 2016-10-01 11:54:55, ANDK wrote:

> > gpg: Signature made Sat Oct 1 17:34:31 2016 CEST > > gpg: using RSA key BF640CDA37065F8D > > gpg: requesting key BF640CDA37065F8D from hkp server pool.sks- > > keyservers.net > > gpg: Can't check signature: No public key > > ==> BAD/TAMPERED signature detected! <== > > > > Signature invalid for distribution file. Please investigate. > > > > I'd recommend removing > > /home/ftp/pub/PAUSE/authors/id/S/SR/SREZIC/Image-Info-1.38_50.tar.gz. > > Some > > error occurred while checking its signature, so it could be > > invalid. Maybe you have configured your 'urllist' with a > > bad > > URL. Please check this array with 'o conf urllist' and retry. > > Or > > examine the distribution in a subshell. Try > > look SREZIC/Image-Info-1.38_50.tar.gz > > and run > > cpansign -v > > SREZIC/Image-Info-1.38_50.tar.gz > > Did not pass the signature test. > > > > > > > > Is the key uploaded elsewhere?

> > Hmmm... > > 16:03 cpansand@eserte (..age-Info-1.38_50-0): cpansign -v > Executing gpg --verify --batch --no-tty --keyserver=hkp://pool.sks- > keyservers.net:11371 --keyserver-options=auto-key-retrieve > /tmp/jfP1MXvsHq > gpg: Signature made Sat Oct 1 15:34:31 2016 UTC using RSA key ID > 37065F8D > gpg: Good signature from "Slaven Rezic <srezic@cpan.org>" > gpg: aka "eserte@de.freebsd.org" > gpg: aka "Slaven Rezic <slaven@rezic.de>" > gpg: aka "Slaven Rezic <eserte@cs.tu-berlin.de>" > gpg: aka "Slaven Rezic <eserte@users.sourceforge.net>" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to the > owner. > Primary key fingerprint: 37 70 2A BB A3 2C 35 A7 10 D3 40 E8 4B A1 D4 > 5E > ==> Signature verified OK! <==

The last eight hex digits match, but what's the extra eight in your version of the key id? gpg: using RSA key BF640CDA37065F8D gpg: Signature made Sat Oct 1 15:34:31 2016 UTC using RSA key ID 37065F8D

Sat Oct 01 12:27:29 2016 ANDK [...] cpan.org - Subject changed from (no value) to 'Signature cannot be verified'

Sat Oct 01 12:30:11 2016 ANDK [...] cpan.org - Correspondence added

It is old tradition that some tools only show 4 bytes of the key value, that's not to worry about. What's more important is wheather the key has been uploaded to a keyserver. I cannot find it. Can you try from a different computer that has no local copy of it?

Sat Oct 01 12:44:23 2016 SREZIC [...] cpan.org - Correspondence added

On 2016-10-01 12:30:11, ANDK wrote: Show quoted text

> It is old tradition that some tools only show 4 bytes of the key > value, that's not to worry about. What's more important is wheather > the key has been uploaded to a keyserver. I cannot find it. Can you > try from a different computer that has no local copy of it?

OK, on a different computer (MacOSX) I see the following --- probably the MD5 thingy is causing the problem: Executing gpg --verify --batch --no-tty --keyserver=hkp://pool.sks-keyservers.net:11371 --keyserver-options=auto-key-retrieve /var/folders/df/9460g5vs1k930zz12jcklv2c0000gn/T/8RxNI9WW1J gpg: Signature made Sat Oct 1 17:34:31 2016 CEST using RSA key ID 37065F8D gpg: requesting key 37065F8D from hkp server pool.sks-keyservers.net gpg: Note: signatures using the MD5 algorithm are rejected gpg: key 37065F8D: no valid user IDs gpg: this may be caused by a missing self-signature gpg: Total number processed: 1 gpg: w/o user IDs: 1 gpg: Can't check signature: public key not found ==> BAD/TAMPERED signature detected! <==

Sat Oct 01 13:44:09 2016 SREZIC [...] cpan.org - Correspondence added

On 2016-10-01 12:44:23, SREZIC wrote: Show quoted text

> On 2016-10-01 12:30:11, ANDK wrote:

> > It is old tradition that some tools only show 4 bytes of the key > > value, that's not to worry about. What's more important is wheather > > the key has been uploaded to a keyserver. I cannot find it. Can you > > try from a different computer that has no local copy of it?

> > OK, on a different computer (MacOSX) I see the following --- probably > the MD5 thingy is causing the problem: > > Executing gpg --verify --batch --no-tty --keyserver=hkp://pool.sks- > keyservers.net:11371 --keyserver-options=auto-key-retrieve > /var/folders/df/9460g5vs1k930zz12jcklv2c0000gn/T/8RxNI9WW1J > gpg: Signature made Sat Oct 1 17:34:31 2016 CEST using RSA key ID > 37065F8D > gpg: requesting key 37065F8D from hkp server pool.sks-keyservers.net > gpg: Note: signatures using the MD5 algorithm are rejected > gpg: key 37065F8D: no valid user IDs > gpg: this may be caused by a missing self-signature > gpg: Total number processed: 1 > gpg: w/o user IDs: 1 > gpg: Can't check signature: public key not found > ==> BAD/TAMPERED signature detected! <==

Can you check if 1.38_51 looks better?

Sat Oct 01 13:44:20 2016 SREZIC [...] cpan.org - Status changed from 'open' to 'patched'

Sat Oct 01 13:52:35 2016 ANDK [...] cpan.org - Correspondence added

Yes, my smoker sent already a heap of PASS reports.

Sat Oct 01 13:57:01 2016 SREZIC [...] cpan.org - Correspondence added

On 2016-10-01 13:52:35, ANDK wrote: Show quoted text

> Yes, my smoker sent already a heap of PASS reports.

Fine :-)

Sat Oct 01 13:57:01 2016 SREZIC [...] cpan.org - Status changed from 'patched' to 'resolved'