Bug #16922 for Module-Signature: Should be able to specify ID of signing key to use

Thu Jan 05 08:01:56 2006 JMEHNLE [...] cpan.org - Ticket created

Subject:

Should be able to specify ID of signing key to use

It should be possible to specify the ID of the key that is to be used for signing modules. AFAICT it currently just uses the gpg default key, which is not always the key one wants to use.

Fri May 14 04:46:47 2010 rotkraut [...] cpan.org - Correspondence added

Am Do 05. Jan 2006, 08:01:56, JMEHNLE schrieb: Show quoted text

> It should be possible to specify the ID of the key that is to be used > for signing modules. AFAICT it currently just uses the gpg default > key, which is not always the key one wants to use.

I prepared a patch that implements this feature. The key ID to use may be set in the new module variable $SigningKey or the environment variable MODULE_SIGNATURE_SIGNINGKEY. If this variable is set to a false value (which is the default) the behavior of Module::Signature is not changed. In the patched version, the following invocation should work as expected: $ export MODULE_SIGNATURE_SIGNINGKEY=0xFDCF7486 $ cpansign -s The attached patch is made against Module::Signature version 0.63 as found in CPAN. Please note that i use the gpg back-end and did not test the code for the Crypt::OpenPGP back-end in sub _sign_crypt_openpgp. But i hope it is working nevertheless.

Subject:

signingkey.diff

--- lib/Module/Signature.pm.orig 2010-03-28 04:46:01.000000000 +0200 +++ lib/Module/Signature.pm 2010-04-03 21:35:50.000000000 +0200 @@ -4,7 +4,7 @@ use 5.005; use strict; use vars qw($VERSION $SIGNATURE @ISA @EXPORT_OK); -use vars qw($Preamble $Cipher $Debug $Verbose $Timeout); +use vars qw($Preamble $Cipher $Debug $Verbose $Timeout $SigningKey); use vars qw($KeyServer $KeyServerPort $AutoKeyRetrieve $CanKeyRetrieve); use constant CANNOT_VERIFY => '0E0'; @@ -29,6 +29,7 @@ $SIGNATURE = 'SIGNATURE'; $Timeout = $ENV{MODULE_SIGNATURE_TIMEOUT} || 3; $Verbose = $ENV{MODULE_SIGNATURE_VERBOSE} || 0; +$SigningKey = $ENV{MODULE_SIGNATURE_SIGNINGKEY} || 0; $KeyServer = $ENV{MODULE_SIGNATURE_KEYSERVER} || 'pool.sks-keyservers.net'; $KeyServerPort = $ENV{MODULE_SIGNATURE_KEYSERVERPORT} || '11371'; $Cipher = $ENV{MODULE_SIGNATURE_CIPHER} || 'SHA1'; @@ -353,12 +354,13 @@ sub _sign_gpg { my ($sigfile, $plaintext, $version) = @_; + my $signerarg = $SigningKey ? "-u $SigningKey" : ""; die "Could not write to $sigfile" if -e $sigfile and (-d $sigfile or not -w $sigfile); local *D; - open D, "| gpg --clearsign >> $sigfile.tmp" or die "Could not call gpg: $!"; + open D, "| gpg $signerarg --clearsign >> $sigfile.tmp" or die "Could not call gpg: $!"; print D $plaintext; close D; @@ -432,8 +434,15 @@ my $ring = Crypt::OpenPGP::KeyRing->new( Filename => $pgp->{cfg}->get('SecRing') ) or die $pgp->error(Crypt::OpenPGP::KeyRing->errstr); - my $kb = $ring->find_keyblock_by_index(-1) - or die $pgp->error('Can\'t find last keyblock: ' . $ring->errstr); + my $kb; + if ($SigningKey) { + $kb = $ring->find_keyblock_by_keyid(pack 'H*', $SigningKey) + or die $pgp->error("Can\'t find keyblock $SigningKey: " . $ring->errstr); + } + else { + $kb = $ring->find_keyblock_by_index(-1) + or die $pgp->error('Can\'t find last keyblock: ' . $ring->errstr); + } my $cert = $kb->signing_key; my $uid = $cert->uid($kb->primary_uid); @@ -631,6 +640,12 @@ The filename for a distribution's signature file. Defaults to C<SIGNATURE>. +=item $SigningKey + +The id of the key to be used for signing. If set to a false value, a +default key depending on the back-end (C<gpg> or C<Crypt::OpenPGP>) is +used. Defaults to C<0>. + =item $KeyServer The OpenPGP key server for fetching the author's public key @@ -686,6 +701,10 @@ Works like C<$Verbose>. +=item MODULE_SIGNATURE_SIGNINGKEY + +Works like C<$SigningKey>. + =item MODULE_SIGNATURE_KEYSERVER Works like C<$KeyServer>.

Fri May 14 04:46:48 2010 The RT System itself - Status changed from 'new' to 'open'

Fri May 14 04:50:39 2010 rotkraut [...] cpan.org - Cc ROTKRAUT added

Tue May 24 12:43:30 2011 my.roges [...] gmail.com - Correspondence added

From:

my.roges [...] gmail.com

On Thu Jan 05 08:01:56 2006, JMEHNLE wrote: Show quoted text

> It should be possible to specify the ID of the key that is to be used > for signing modules. AFAICT it currently just uses the gpg default > key, which is not always the key one wants to use.

#or we could pull the key from the AUTHOR in the Makefile.PL with this patch: --- a/usr/local/share/perl/5.10.0/Module/Signature.pm +++ b/usr/local/share/perl/5.10.0/Module/Signature.pm @@ -348,8 +348,17 @@ sub sign { return unless <STDIN> =~ /[Yy]/; } + #dirty hack to let the user chose the key + my $AUTHOR = ''; + $AUTHOR = `grep AUTHOR Makefile.PL` if(-f "Makefile.PL"); + #$AUTHOR = `grep AUTHOR Makefile.PL|sed -e 's/.*{//' -e 's/}.*//'` if(-f "Makefile.PL"); + $AUTHOR = '' unless $AUTHOR=~s/.*<(.+\@.+)\>.*/$1/; + #$AUTHOR=~s/.*\{(.+)\}.*/$1/; + chomp($AUTHOR); + $AUTHOR=~s/\s*\n$//; + if (my $version = _has_gpg()) { - _sign_gpg($SIGNATURE, $plaintext, $version); + _sign_gpg($SIGNATURE, $plaintext, $version, $AUTHOR); } elsif (eval {require Crypt::OpenPGP; 1}) { _sign_crypt_openpgp($SIGNATURE, $plaintext); @@ -363,13 +372,15 @@ sub sign { } sub _sign_gpg { - my ($sigfile, $plaintext, $version) = @_; + my ($sigfile, $plaintext, $version, $AUTHOR) = @_; die "Could not write to $sigfile" if -e $sigfile and (-d $sigfile or not -w $sigfile); local *D; - open D, "| gpg --clearsign >> $sigfile.tmp" or die "Could not call gpg: $!"; + my $set_key =''; + $set_key = "--default-key $AUTHOR" if $AUTHOR; + open D, "| gpg $set_key --clearsign >> $sigfile.tmp" or die "Could not call gpg: $!"; print D $plaintext; close D; # grep VERSION /usr/local/share/perl/5.10.0/Module/Signature.pm # $Module::Signature::VERSION = '0.66'; # works for me (and I agree, this did bug me as I have lots of keys and lots of addresses.