Skip Menu |

This queue is for tickets about the SVN-Web CPAN distribution.

Report information
The Basics
Id: 19746
Status: resolved
Priority: 0/
Queue: SVN-Web
People
Owner: Nobody in particular
Requestors: jerry [...] invidi.com
Cc:
AdminCc:
Bug Information
Severity: Critical
Broken in: 0.47
Fixed in: (no value)

History Show all quoted text
  Tue Jun 06 13:55:16 2006 Guest - Ticket created
Subject: signature failure on install
Looks like the SIGNATURE file needs updating. Show quoted text
cpan> install SVN::Web
CPAN: Storable loaded ok Going to read /root/.cpan/Metadata Database was generated on Tue, 06 Jun 2006 12:27:33 GMT Running install for module SVN::Web Running make for N/NI/NIKC/SVN-Web-0.47.tar.gz CPAN: LWP::UserAgent loaded ok Fetching with LWP: ftp://theoryx5.uwinnipeg.ca/pub/CPAN/authors/id/N/NI/NIKC/SVN-Web-0.47.tar.gz CPAN: Digest::SHA loaded ok Fetching with LWP: ftp://theoryx5.uwinnipeg.ca/pub/CPAN/authors/id/N/NI/NIKC/CHECKSUMS CPAN: Module::Signature loaded ok WARNING: This key is not certified with a trusted signature! Primary key fingerprint: 2E66 557A B97C 19C7 91AF 8E20 328D A867 450F 89EC Signature for /root/.cpan/sources/authors/id/N/NI/NIKC/CHECKSUMS ok CPAN: Compress::Zlib loaded ok Checksum for /root/.cpan/sources/authors/id/N/NI/NIKC/SVN-Web-0.47.tar.gz ok Scanning cache /root/.cpan/build for sizes SVN-Web-0.47 SVN-Web-0.47/t SVN-Web-0.47/lib SVN-Web-0.47/bin SVN-Web-0.47/MANIFEST SVN-Web-0.47/TODO SVN-Web-0.47/CHANGES.pod SVN-Web-0.47/CONTRIBUTING.pod SVN-Web-0.47/README SVN-Web-0.47/Build.PL SVN-Web-0.47/META.yml SVN-Web-0.47/UPDATING.pod SVN-Web-0.47/Makefile.PL SVN-Web-0.47/SIGNATURE SVN-Web-0.47/bin/svnweb-install SVN-Web-0.47/bin/svnweb-server SVN-Web-0.47/lib/SVN SVN-Web-0.47/lib/SVN/Web.pm SVN-Web-0.47/lib/SVN/Web SVN-Web-0.47/lib/SVN/Web/Test.pm SVN-Web-0.47/lib/SVN/Web/Style SVN-Web-0.47/lib/SVN/Web/I18N SVN-Web-0.47/lib/SVN/Web/Template SVN-Web-0.47/lib/SVN/Web/RSS.pm SVN-Web-0.47/lib/SVN/Web/List.pm SVN-Web-0.47/lib/SVN/Web/Checkout.pm SVN-Web-0.47/lib/SVN/Web/View.pm SVN-Web-0.47/lib/SVN/Web/Diff.pm SVN-Web-0.47/lib/SVN/Web/X.pm SVN-Web-0.47/lib/SVN/Web/Log.pm SVN-Web-0.47/lib/SVN/Web/action.pm SVN-Web-0.47/lib/SVN/Web/Browse.pm SVN-Web-0.47/lib/SVN/Web/Revision.pm SVN-Web-0.47/lib/SVN/Web/Template/trac SVN-Web-0.47/lib/SVN/Web/Template/plain SVN-Web-0.47/lib/SVN/Web/Template/plain/header SVN-Web-0.47/lib/SVN/Web/Template/plain/revision SVN-Web-0.47/lib/SVN/Web/Template/plain/x SVN-Web-0.47/lib/SVN/Web/Template/plain/browse SVN-Web-0.47/lib/SVN/Web/Template/plain/diff SVN-Web-0.47/lib/SVN/Web/Template/plain/list SVN-Web-0.47/lib/SVN/Web/Template/plain/footer SVN-Web-0.47/lib/SVN/Web/Template/plain/log SVN-Web-0.47/lib/SVN/Web/Template/plain/view SVN-Web-0.47/lib/SVN/Web/Template/trac/header SVN-Web-0.47/lib/SVN/Web/Template/trac/footer SVN-Web-0.47/lib/SVN/Web/Template/trac/x SVN-Web-0.47/lib/SVN/Web/Template/trac/revision SVN-Web-0.47/lib/SVN/Web/Template/trac/diff SVN-Web-0.47/lib/SVN/Web/Template/trac/browse SVN-Web-0.47/lib/SVN/Web/Template/trac/list SVN-Web-0.47/lib/SVN/Web/Template/trac/view SVN-Web-0.47/lib/SVN/Web/Template/trac/log SVN-Web-0.47/lib/SVN/Web/I18N/zh_tw.po SVN-Web-0.47/lib/SVN/Web/I18N/fr.po SVN-Web-0.47/lib/SVN/Web/I18N/en.po SVN-Web-0.47/lib/SVN/Web/I18N/zh_cn.po SVN-Web-0.47/lib/SVN/Web/Style/trac SVN-Web-0.47/lib/SVN/Web/Style/common.css SVN-Web-0.47/lib/SVN/Web/Style/styles-hlb.css SVN-Web-0.47/lib/SVN/Web/Style/trac/folder.png SVN-Web-0.47/lib/SVN/Web/Style/trac/browser.css SVN-Web-0.47/lib/SVN/Web/Style/trac/diff.css SVN-Web-0.47/lib/SVN/Web/Style/trac/file.png SVN-Web-0.47/lib/SVN/Web/Style/trac/svnweb.css SVN-Web-0.47/lib/SVN/Web/Style/trac/changeset.css SVN-Web-0.47/lib/SVN/Web/Style/trac/folderdeny.png SVN-Web-0.47/lib/SVN/Web/Style/trac/trac.css SVN-Web-0.47/lib/SVN/Web/Style/trac/text-diff-html.css SVN-Web-0.47/lib/SVN/Web/Style/trac/parent.png SVN-Web-0.47/lib/SVN/Web/Style/trac/filedeny.png SVN-Web-0.47/lib/SVN/Web/Style/trac/code.css SVN-Web-0.47/t/benchmark.t SVN-Web-0.47/t/test_repo.dump SVN-Web-0.47/t/pod.t SVN-Web-0.47/t/1use.t SVN-Web-0.47/t/2basic.t SVN-Web-0.47/t/cache.t SVN-Web-0.47/t/3svnweb-install.t Removing previously used /root/.cpan/build/SVN-Web-0.47 WARNING: This key is not certified with a trusted signature! Primary key fingerprint: 15B8 3FFC DDB4 34B0 AA5F 94B7 93A8 0764 2C37 E375 --- SIGNATURE 2006-05-06 09:14:39.000000000 -0600 +++ - 2006-06-06 11:48:24.476357000 -0600 @@ -41,7 +41,7 @@ SHA1 c7f365aa5f266c338dcf72609844b7b35e07a024 lib/SVN/Web/Style/styles-hlb.css SHA1 6891d1579047594f0600adcb5ba039a73a755077 lib/SVN/Web/Style/trac/browser.css SHA1 aa619eeb97d689b527e992003995b66f1e21e410 lib/SVN/Web/Style/trac/changeset.css -SHA1 ce9d49ee72dae44293efc607344b92f51bb7fc67 lib/SVN/Web/Style/trac/code.css +SHA1 b4b44f2b7ec33e0240bd008ebe85d37f749be0a8 lib/SVN/Web/Style/trac/code.css SHA1 69333e899b14209268572ab6ec59549c1c1d3e6b lib/SVN/Web/Style/trac/diff.css SHA1 9dd0a6187297068b664beb63e21594c1a0b2bc62 lib/SVN/Web/Style/trac/file.png SHA1 9dd0a6187297068b664beb63e21594c1a0b2bc62 lib/SVN/Web/Style/trac/filedeny.png ==> MISMATCHED content between SIGNATURE and distribution files! <== Signature invalid for distribution file. Please investigate. Distribution id = N/NI/NIKC/SVN-Web-0.47.tar.gz CPAN_USERID NIKC (Nik Clayton <nik@ngo.org.uk>) CALLED_FOR SVN::Web CHECKSUM_STATUS OK CONTAINSMODS SVN::Web SVN::Web::Browse SVN::Web::Checkout SVN::Web::Diff SVN::Web::List SVN::Web::Log SVN::Web::RSS SVN::Web::Revision SVN::Web::Test SVN::Web::View SVN::Web::X SVN::Web::action SIG_STATUS OK UPLOAD_DATE 2006-05-06 archived tar build_dir /root/.cpan/build/SVN-Web-0.47 incommandcolor 1 localfile /root/.cpan/sources/authors/id/N/NI/NIKC/SVN-Web-0.47.tar.gz unwrapped YES I'd recommend removing /root/.cpan/sources/authors/id/N/NI/NIKC/SVN-Web-0.47.tar.gz. Its signature is invalid. Maybe you have configured your 'urllist' with a bad URL. Please check this array with 'o conf urllist', and retry. For more information, try opening a subshell with look NIKC/SVN-Web-0.47.tar.gz and there run cpansign -v CPAN: Module::Build loaded ok Did not pass the signature test. Running make test Make had some problems, won't test Running make install Make had some problems, won't install Failed during this command: NIKC/SVN-Web-0.47.tar.gz : signature_verify NO Show quoted text
cpan> cpansign -v
Unknown shell command 'cpansign -v'. Type ? for help. Show quoted text
cpan> test SVN::Web
Running test for module SVN::Web Running make for N/NI/NIKC/SVN-Web-0.47.tar.gz Is already unwrapped into directory /root/.cpan/build/SVN-Web-0.47 Did not pass the signature test. Running make test Make had some problems, won't test
  Sat Jun 10 10:49:41 2006 nik [...] ngo.org.uk - Correspondence added
Subject: Re: [rt.cpan.org #19746] signature failure on install
Date: Sat, 10 Jun 2006 15:49:06 +0100
To: bug-SVN-Web [...] rt.cpan.org
From: Nik Clayton <nik [...] ngo.org.uk>
Jerry, Guest via RT wrote: Show quoted text
> Tue Jun 06 13:55:16 2006: Request 19746 was acted upon. > Transaction: Ticket created by guest > Queue: SVN-Web > Subject: signature failure on install > Broken in: 0.47 > Severity: Critical > Owner: Nobody > Requestors: jerry@invidi.com > Status: new > Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=19746 > > > > Looks like the SIGNATURE file needs updating.
I'm not sure -- I can't reproduce this. I just tried on one of my colocated hosts (on which I do no development, so the environment should be clean) and I get: Show quoted text
cpan> look SVN::Web
[ ... omitted download information ... ] # cpansign -v Executing gpg --verify --batch --no-tty --keyserver=hkp://pgp.mit.edu:11371 --keyserver-options=auto-key-retrieve SIGNATURE gpg: WARNING: using insecure memory! gpg: please see http://www.gnupg.org/faq.html for more information gpg: Signature made Sat May 6 08:14:39 2006 PDT using DSA key ID 2C37E375 gpg: requesting key 2C37E375 from hkp server pgp.mit.edu gpg: key 2C37E375: public key "Nik Clayton <nik@crf-consulting.co.uk>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 gpg: Good signature from "Nik Clayton <nik@crf-consulting.co.uk>" gpg: aka "Nik Clayton <nik@slashdot.org>" gpg: aka "Nik Clayton <nik@bsdi.com>" gpg: aka "Nik Clayton <nik@ngo.org.uk>" gpg: aka "Nik Clayton <nik@freebsd.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 15B8 3FFC DDB4 34B0 AA5F 94B7 93A8 0764 2C37 E375 ==> Signature verified OK! <== [ long lines wrapped and indented ] That's exactly what I'd expect to see. If you install Module::Signature you should be able to run 'cpansign -v' yourself, which should give the same results above. The other reason I think the SIGNATURE is OK is that I've seen various OS packaging systems package SVN::Web 0.47. I doubt they'd do that if the signature checks failed for them. If you can reproduce this I'd appreciate chapter and verse on exactly what you did. Thanks, N
  Sat Jun 10 10:49:41 2006 The RT System itself - Status changed from 'new' to 'open'
  Mon Jun 12 11:13:54 2006 jerry [...] invidi.com - Correspondence added
Subject: RE: [rt.cpan.org #19746] signature failure on install
Date: Mon, 12 Jun 2006 11:13:26 -0400
To: <bug-SVN-Web [...] rt.cpan.org>
From: "Jerry Veldhuis" <jerry [...] invidi.com>
Weird, here's what I get: [root@slaver SVN-Web-0.47]# cd /root/.cpan/build/SVN-Web-0.47 [root@slaver SVN-Web-0.47]# cpansign -v Executing gpg --verify --batch --no-tty --keyserver=hkp://pgp.mit.edu:11371 SIGNATURE gpg: Signature made Sat 06 May 2006 09:14:39 AM MDT using DSA key ID 2C37E375 gpg: Good signature from "Nik Clayton <nik@crf-consulting.co.uk>" gpg: aka "Nik Clayton <nik@slashdot.org>" gpg: aka "Nik Clayton <nik@bsdi.com>" gpg: aka "Nik Clayton <nik@ngo.org.uk>" gpg: aka "Nik Clayton <nik@freebsd.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 15B8 3FFC DDB4 34B0 AA5F 94B7 93A8 0764 2C37 E375 --- SIGNATURE 2006-05-06 09:14:39.000000000 -0600 +++ - 2006-06-12 09:05:44.736100000 -0600 @@ -41,7 +41,7 @@ SHA1 c7f365aa5f266c338dcf72609844b7b35e07a024 lib/SVN/Web/Style/styles-hlb.css SHA1 6891d1579047594f0600adcb5ba039a73a755077 lib/SVN/Web/Style/trac/browser.css SHA1 aa619eeb97d689b527e992003995b66f1e21e410 lib/SVN/Web/Style/trac/changeset.css -SHA1 ce9d49ee72dae44293efc607344b92f51bb7fc67 lib/SVN/Web/Style/trac/code.css +SHA1 b4b44f2b7ec33e0240bd008ebe85d37f749be0a8 lib/SVN/Web/Style/trac/code.css SHA1 69333e899b14209268572ab6ec59549c1c1d3e6b lib/SVN/Web/Style/trac/diff.css SHA1 9dd0a6187297068b664beb63e21594c1a0b2bc62 lib/SVN/Web/Style/trac/file.png SHA1 9dd0a6187297068b664beb63e21594c1a0b2bc62 lib/SVN/Web/Style/trac/filedeny.png ==> MISMATCHED content between SIGNATURE and distribution files! <== [root@slaver SVN-Web-0.47]# This is a fresh install of RedHat FC5, uname -a returns: Linux slaver.invidi.com 2.6.16-1.2122_FC5smp #1 SMP Sun May 21 15:18:32 EDT 2006 i686 i686 i386 GNU/Linux This would be a company linux box, but we typically use the perl CPAN module to install all perl modules and their dependencies. I have the lastest verion 0.54 of Module::Signature installed. As evidenced by: % perl -e 'use Module::Signature; print "$Module::Signature::VERSION\n";' 0.54 Other ideas ? Jerry nik@ngo.org.uk via RT <mailto:bug-SVN-Web@rt.cpan.org> wrote: Show quoted text
> <URL: http://rt.cpan.org/Ticket/Display.html?id=19746 > > > Jerry, > > Guest via RT wrote:
>> Tue Jun 06 13:55:16 2006: Request 19746 was acted upon. >> Transaction: Ticket created by guest >> Queue: SVN-Web >> Subject: signature failure on install >> Broken in: 0.47 >> Severity: Critical >> Owner: Nobody >> Requestors: jerry@invidi.com >> Status: new >> Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=19746 > >> >> >> Looks like the SIGNATURE file needs updating.
> > I'm not sure -- I can't reproduce this. I just tried on one of my > colocated hosts (on which I do no development, so the environment > should be clean) and I get: >
> cpan> look SVN::Web
> [ ... omitted download information ... ] > # cpansign -v > Executing gpg --verify --batch --no-tty > --keyserver=hkp://pgp.mit.edu:11371 > --keyserver-options=auto-key-retrieve SIGNATURE > gpg: WARNING: using insecure memory! > gpg: please see http://www.gnupg.org/faq.html for more information > gpg: Signature made Sat May 6 08:14:39 2006 PDT using DSA key > ID 2C37E375 > gpg: requesting key 2C37E375 from hkp server pgp.mit.edu > gpg: key 2C37E375: public key "Nik Clayton > <nik@crf-consulting.co.uk>" imported > gpg: no ultimately trusted keys found > gpg: Total number processed: 1 > gpg: imported: 1 > gpg: Good signature from "Nik Clayton <nik@crf-consulting.co.uk>" > gpg: aka "Nik Clayton <nik@slashdot.org>" > gpg: aka "Nik Clayton <nik@bsdi.com>" > gpg: aka "Nik Clayton <nik@ngo.org.uk>" > gpg: aka "Nik Clayton <nik@freebsd.org>" > gpg: WARNING: This key is not certified with a trusted signature! > gpg: There is no indication that the signature belongs to > the owner. > Primary key fingerprint: 15B8 3FFC DDB4 34B0 AA5F 94B7 93A8 0764 > 2C37 E375 > ==> Signature verified OK! <== > > [ long lines wrapped and indented ] > > That's exactly what I'd expect to see. > > If you install Module::Signature you should be able to run 'cpansign > -v' yourself, which should give the same results above. > > The other reason I think the SIGNATURE is OK is that I've seen various > OS packaging systems package SVN::Web 0.47. I doubt they'd do that if > the signature checks failed for them. > > If you can reproduce this I'd appreciate chapter and verse on exactly > what you did. > > Thanks, > > N
- - - - - - - Appended by Invidi Technologies Corporation. - - - - - - - DISCLAIMER: This email message is for the sole use of the intended recipients and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited.
  Tue Jun 27 15:58:09 2006 NIKC [...] cpan.org - Correspondence added
I'm closing this ticket. There are two possible errors that you were referring to. The first is the WARNING: This key is not certified with a trusted signature! That's normal with digital signatures if there isn't a trust path between you and me. It just means that you don't trust me, or anyone who's signed my PGP key. The other, potentially more serious error is this one. ==> MISMATCHED content between SIGNATURE and distribution files! <== I can't reproduce this, and nor can any other Perl users that I've contacted on IRC, so I think this is a (temporary) glitch on whichever CPAN mirror you downloaded the file from. If you have the time, please try and download the distribution from multiple CPAN mirrors and compare them. If any of them have mismatched signatures then please inform the operators of those mirrors that they have a problem. Thank you for the error report. N
  Tue Jun 27 15:58:11 2006 NIKC [...] cpan.org - Status changed from 'open' to 'resolved'