| Subject: | Verification failure on Win32 for some modules due to incorrect binary/text mode hashing |
Some modules fail to verify on Windows because the digests are generated differently than on non-Windows.
Example: Cpanel::JSON::XS v4.06
$ cpansign -v
Executing gpg --verify --batch --no-tty --keyserver=hkp://pool.sks-keyservers.net:11371 --keyserver-options=auto-key-retrieve C:\msys64\tmp\YNON5WIAq7
gpg: Signature made 08/23/18 09:49:55 Västeuropa, sommartid
gpg: using RSA key 2895A881D34270FABFE8F747B4F63339E65D6414
gpg: Good signature from "Reini Urban <rurban@cpan.org>" [unknown]
gpg: aka "Reini Urban <reini.urban@gmail.com>" [unknown]
gpg: aka "[jpeg image of size 7578]" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2895 A881 D342 70FA BFE8 F747 B4F6 3339 E65D 6414
--- SIGNATURE Thu Aug 23 09:49:55 2018
+++ (current) Fri Aug 24 12:46:03 2018
@@ -1,4 +1,4 @@
-SHA1 b1dc76bb84e636c3d4a32dc6676ae3259fa25aeb .appveyor.yml
+SHA1 8999d3b14e4ecf8012d74f19732a521cd3974092 .appveyor.yml
SHA1 65fc21ade6dae1e18b4781332953cf481fb28718 .travis.yml
SHA1 9a56f3b919dfc8fced3803e165a2e38de62646e5 COPYING
SHA1 13b9475237d825f194ced4efc720b5d0240decaa Changes
@@ -21,7 +21,7 @@
SHA1 d876bdffc381f4f67ec90f9c331e3ec2138946e2 t/04_dwiw_encode.t
SHA1 94b1130a9b760102e0a24ad518f1e7439ef9122c t/05_dwiw_decode.t
SHA1 188bcca275446893767fec9d945ac2b5afb83186 t/06_pc_pretty.t
-SHA1 f184df03869dc2baba2daa8d5c436c3996601607 t/07_pc_esc.t
+SHA1 0b39284eb4cc83cd67053ea703fa37ee23b43d8e t/07_pc_esc.t
SHA1 18dc9908153d71debc18afd777983819f5ecce9a t/08_pc_base.t
SHA1 379ba4aed1c0f88e2ea0b29c35b2bcf5500cff61 t/08_pc_base_nv.t
SHA1 94b5a3460023550b79b1d325016c951d9cb99fa1 t/09_pc_extra_number.t
@@ -70,7 +70,7 @@
SHA1 1bf6336a76101f747b84c35cca38c4e8bacb9224 t/98_56only.t
SHA1 e5e4ea9e68154f9adb4e5e19a86c96efb1704d02 t/99_binary.t
SHA1 e6078e2fc5c375d45498494bb91487834601a189 t/_unicode_handling.pm
-SHA1 ef62decbf1634f795ef03babe0b36ab9855f263b t/appveyor-test.bat
+SHA1 737016e3521c03857939bcbab0c49c10c7919591 t/appveyor-test.bat
SHA1 413be8df242f37f68aa3841888174e545cba5b2f t/test_parsing/i_number_neg_int_huge_exp.json
SHA1 fa1cc74fc07e84b1a18883a4f5e85472c41df793 t/test_parsing/i_number_pos_double_huge_exp.json
SHA1 143980cf8623793b0bf74cd81c0dc50b0f1d3dd3 t/test_parsing/i_object_key_lone_2nd_surrogate.json
==> MISMATCHED content between SIGNATURE and distribution files! <==
The files that fail are files which have different binary and text mode hashes. In this case, the ones in the SIGNATURE file are binary mode hashes and the current ones are text mode hashes. So most likely on the system where the signature was made the code behaves differently then on Windows, i.e. producing binary mode hashes instead of text mode. AFAIK text mode is the correct one for text files since that's how the tests are written.
Question, why do we care about text mode? Why not always do binary mode?
https://github.com/audreyt/module-signature/blob/272c1a9911f6204a6ee7eb08f89d4518df2e37f4/lib/Module/Signature.pm#L639-L667
This code section seems weird to me. Why not use Digest::SHA::addfile on all platforms?
Best regards
Niklas