Bug #99284 for Net-SSH-Perl: bad sha1sums in SIGNATURE file

Thu Oct 02 21:00:23 2014 MARKLE [...] cpan.org - Ticket created

CC:	scriptdolphin [...] gmail.com
Subject:	bad sha1sums in SIGNATURE file

This prevents installation with $CPAN::Config::check_sigs == 1 in Perl 5.20.0. Thank you. -Mark ------------------------------------------ PRD sre@nwa1.ntf.cft1 /tmp/cpan/build/Net-SSH-Perl-1.37 2014-10-02 17:56:59 Thu PRD $ for file in `grep ^SHA1 SIGNATURE | awk '{ print $3; }'`; do echo "SHA1 `sha1sum $file`" | sed 's/ / /'; done > SIGNATURE.files PRD sre@nwa1.ntf.cft1 /tmp/cpan/build/Net-SSH-Perl-1.37 2014-10-02 17:57:04 Thu PRD $ diff -u SIGNATURE SIGNATURE.files --- SIGNATURE 2013-08-09 15:08:32.000000000 -0700 +++ SIGNATURE.files 2014-10-02 17:57:04.000000000 -0700 @@ -1,25 +1,9 @@ -This file contains message digests of all files listed in MANIFEST, -signed via the Module::Signature module, version 0.70. - -To verify the content in this distribution, first make sure you have -Module::Signature installed, then type: - - % cpansign -v - -It will check each file's integrity, as well as the signature's -validity. If "==> Signature verified OK! <==" is not displayed, -the distribution may already have been compromised, and you should -not run its Makefile.PL or Build.PL. - ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA1 - SHA1 cc451367f759ef30c8200859b4248973a973b623 .perlcriticrc -SHA1 08fdfcbe9db3d8d0c13a3dc4681001cf2c7247ad Changes +SHA1 9f148d72ef0d35bec456786b8c633fc7ca471007 Changes SHA1 f235ba4160673bcb7c9d58c2f09dbc7fc0efadea LICENSE SHA1 d6a61ea9371de92127e4afc234b6f6651535ed1b MANIFEST SHA1 84efc47ee3a4253e0ab8029a26c263a6553beda7 MANIFEST.SKIP -SHA1 378c9d5867b7e8cba6f5576b4593d6303264ee8d META.yml +SHA1 45ac8bfe9dff80b47d8bdf118fa60f1facdaeb59 META.yml SHA1 ed90f5c217f68c08f9fcdeb40870b09e855d704d Makefile.PL SHA1 c4f71c29acb966232282d57b570484f7ceef208b README SHA1 ca4a01e14284c7a3efa45229e3ba0877ade60285 ToDo @@ -29,7 +13,7 @@ SHA1 3a7ecc57b316a02a72f8f56602b6d59aa4a4c2ce eg/pssh-keygen SHA1 c36af8adc7bcc9ccbef3beed15723a4a0e8db15a eg/remoteinteract.pl SHA1 7ff227ceb0c28c8f98b5772072eb6bf908f96555 eg/remoteinteract2.pl -SHA1 5cba731f48de8687477d24364851434bf148cf9c lib/Net/SSH/Perl.pm +SHA1 5880749f094a44ad9b27a2cc592ee6d233ce46bc lib/Net/SSH/Perl.pm SHA1 f7b6f7cd52ce138615b0fa1bbd0b965bd138e4e8 lib/Net/SSH/Perl/Agent.pm SHA1 42d0e1ae5b5c4f90dfcc8b28076ec94c682174f0 lib/Net/SSH/Perl/Auth.pm SHA1 2587036da2cddb5278e84db1cc10d2d2c2cd1029 lib/Net/SSH/Perl/Auth/ChallengeResponse.pm @@ -54,7 +38,7 @@ SHA1 0479eae6ae99108e46cc859c2f053845ace7ab7d lib/Net/SSH/Perl/Cipher/RC4.pm SHA1 3df4c4dda730c0114f23d80b30a37b33ccefd40c lib/Net/SSH/Perl/Comp.pm SHA1 b75708438f4def2fd96fa8e1570ab999b49f7e19 lib/Net/SSH/Perl/Comp/Zlib.pm -SHA1 61063ffcb55c106e534918585d61950659dc84a9 lib/Net/SSH/Perl/Config.pm +SHA1 0a287a3f907d3ffeff0e01be6a0553b546869747 lib/Net/SSH/Perl/Config.pm SHA1 59160d52f16e23fb362948632d8325ce7dcfc4af lib/Net/SSH/Perl/Constants.pm SHA1 921a224def784e988c01395b2634bcb9bdd2cbd9 lib/Net/SSH/Perl/Handle.pm SHA1 008d3ebd3a2e5b2ff5a622bba6b3f2286a587948 lib/Net/SSH/Perl/Handle/SSH1.pm @@ -94,10 +78,3 @@ SHA1 9a32e630c87d1cc3ceaf2b5585519b55d12b79d3 t/config SHA1 885358760910acc3898301c9af18cd634ddd81a8 t/psshd SHA1 9b7aa51c0e3a2fede4a7b4767c3d507f37f46696 t/test-common.pl ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.11 (GNU/Linux) - -iEYEARECAAYFAlIFaFUACgkQJszQZs1hPJsUVACdH0C4dZaSHdr9Su4wvHkEW81K -nAcAoIV1jUIA6aDbhob/EKz/VTic1zzD -=5K3H ------END PGP SIGNATURE----- --------------------------------------------------- Fetching with LWP: http://cpan.perl.org/authors/id/S/SC/SCHWIGON/Net-SSH-Perl-1.37.tar.gz Fetching with LWP: http://cpan.perl.org/authors/id/S/SC/SCHWIGON/CHECKSUMS WARNING: This key is not certified with a trusted signature! Primary key fingerprint: 2E66 557A B97C 19C7 91AF 8E20 328D A867 450F 89EC Signature for /tmp/cpan/sources/authors/id/S/SC/SCHWIGON/CHECKSUMS ok Checksum for /tmp/cpan/sources/authors/id/S/SC/SCHWIGON/Net-SSH-Perl-1.37.tar.gz ok Net-SSH-Perl-1.37/ Net-SSH-Perl-1.37/t/ Net-SSH-Perl-1.37/t/05-cipher.t Net-SSH-Perl-1.37/t/00-signature.t Net-SSH-Perl-1.37/t/config Net-SSH-Perl-1.37/t/psshd Net-SSH-Perl-1.37/t/03-packet.t Net-SSH-Perl-1.37/t/test-common.pl Net-SSH-Perl-1.37/t/99-perlcritic.t Net-SSH-Perl-1.37/t/06-auth.t Net-SSH-Perl-1.37/t/04-config.t Net-SSH-Perl-1.37/t/99-pod.t Net-SSH-Perl-1.37/t/01-compile.t Net-SSH-Perl-1.37/t/99-yaml.t Net-SSH-Perl-1.37/t/99-spellcheck.t Net-SSH-Perl-1.37/t/06-circular.t Net-SSH-Perl-1.37/t/02-buffer.t Net-SSH-Perl-1.37/.perlcriticrc Net-SSH-Perl-1.37/lib/ Net-SSH-Perl-1.37/lib/Net/ Net-SSH-Perl-1.37/lib/Net/SSH/ Net-SSH-Perl-1.37/lib/Net/SSH/Perl.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/ Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Kex.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/AuthMgr.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Buffer.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Util.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Agent.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Handle.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/SSH2.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Util/ Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Util/Authfile.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Util/Hosts.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Util/SSH1Misc.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Util/RSA.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Util/SSH1MP.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Util/Term.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Util/SSH2MP.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Comp.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Key/ Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Key/DSA.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Key/RSA.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Key/RSA1.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Cipher.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Cipher/ Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Cipher/RC4.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Cipher/CFB.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Cipher/CBC.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Cipher/DES.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Cipher/DES3.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Cipher/IDEA.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Cipher/Blowfish.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Constants.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/SSH1.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Channel.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Auth/ Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Auth/Rhosts.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Auth/RSA.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Auth/PublicKey.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Auth/KeyboardInteractive.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Auth/KeyboardInt.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Auth/ChallengeResponse.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Auth/Password.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Auth/Rhosts_RSA.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Comp/ Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Comp/Zlib.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Handle/ Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Handle/SSH2.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Handle/SSH1.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Config.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Mac.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Subsystem/ Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Subsystem/Server.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Subsystem/Client.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Kex/ Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Kex/DH1.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Packet.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/ChannelMgr.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Auth.pm Net-SSH-Perl-1.37/lib/Net/SSH/Perl/Key.pm Net-SSH-Perl-1.37/MANIFEST.SKIP Net-SSH-Perl-1.37/Makefile.PL Net-SSH-Perl-1.37/LICENSE Net-SSH-Perl-1.37/META.yml Net-SSH-Perl-1.37/eg/ Net-SSH-Perl-1.37/eg/pscp Net-SSH-Perl-1.37/eg/cmd.pl Net-SSH-Perl-1.37/eg/remoteinteract.pl Net-SSH-Perl-1.37/eg/remoteinteract2.pl Net-SSH-Perl-1.37/eg/pssh-keygen Net-SSH-Perl-1.37/eg/pssh Net-SSH-Perl-1.37/Changes Net-SSH-Perl-1.37/MANIFEST Net-SSH-Perl-1.37/README Net-SSH-Perl-1.37/SIGNATURE Net-SSH-Perl-1.37/ToDo WARNING: This key is not certified with a trusted signature! Primary key fingerprint: 6AD2 1903 2C08 4E10 2FEF 1CED 26CC D066 CD61 3C9B --- SIGNATURE Fri Aug 9 15:08:32 2013 +++ (current) Thu Oct 2 17:49:33 2014 @@ -1,9 +1,9 @@ SHA1 cc451367f759ef30c8200859b4248973a973b623 .perlcriticrc -SHA1 08fdfcbe9db3d8d0c13a3dc4681001cf2c7247ad Changes +SHA1 fcc792606604f76d1109a1709df6a195b80dd9bf Changes SHA1 f235ba4160673bcb7c9d58c2f09dbc7fc0efadea LICENSE SHA1 d6a61ea9371de92127e4afc234b6f6651535ed1b MANIFEST SHA1 84efc47ee3a4253e0ab8029a26c263a6553beda7 MANIFEST.SKIP -SHA1 378c9d5867b7e8cba6f5576b4593d6303264ee8d META.yml +SHA1 e0fa7a8c927d58aca40ea8048e93b8f99d3da8a4 META.yml SHA1 ed90f5c217f68c08f9fcdeb40870b09e855d704d Makefile.PL SHA1 c4f71c29acb966232282d57b570484f7ceef208b README SHA1 ca4a01e14284c7a3efa45229e3ba0877ade60285 ToDo @@ -13,7 +13,7 @@ SHA1 3a7ecc57b316a02a72f8f56602b6d59aa4a4c2ce eg/pssh-keygen SHA1 c36af8adc7bcc9ccbef3beed15723a4a0e8db15a eg/remoteinteract.pl SHA1 7ff227ceb0c28c8f98b5772072eb6bf908f96555 eg/remoteinteract2.pl -SHA1 5cba731f48de8687477d24364851434bf148cf9c lib/Net/SSH/Perl.pm +SHA1 2ad9d0f12cca78d937bacf4488bd95555b8342c8 lib/Net/SSH/Perl.pm SHA1 f7b6f7cd52ce138615b0fa1bbd0b965bd138e4e8 lib/Net/SSH/Perl/Agent.pm SHA1 42d0e1ae5b5c4f90dfcc8b28076ec94c682174f0 lib/Net/SSH/Perl/Auth.pm SHA1 2587036da2cddb5278e84db1cc10d2d2c2cd1029 lib/Net/SSH/Perl/Auth/ChallengeResponse.pm @@ -38,7 +38,7 @@ SHA1 0479eae6ae99108e46cc859c2f053845ace7ab7d lib/Net/SSH/Perl/Cipher/RC4.pm SHA1 3df4c4dda730c0114f23d80b30a37b33ccefd40c lib/Net/SSH/Perl/Comp.pm SHA1 b75708438f4def2fd96fa8e1570ab999b49f7e19 lib/Net/SSH/Perl/Comp/Zlib.pm -SHA1 61063ffcb55c106e534918585d61950659dc84a9 lib/Net/SSH/Perl/Config.pm +SHA1 db89d433540d03283a20a21c9700c901e2657bea lib/Net/SSH/Perl/Config.pm SHA1 59160d52f16e23fb362948632d8325ce7dcfc4af lib/Net/SSH/Perl/Constants.pm SHA1 921a224def784e988c01395b2634bcb9bdd2cbd9 lib/Net/SSH/Perl/Handle.pm SHA1 008d3ebd3a2e5b2ff5a622bba6b3f2286a587948 lib/Net/SSH/Perl/Handle/SSH1.pm ==> MISMATCHED content between SIGNATURE and distribution files! <== Signature invalid for distribution file. Please investigate. I'd recommend removing /tmp/cpan/sources/authors/id/S/SC/SCHWIGON/Net-SSH-Perl-1.37.tar.gz. Some error occurred while checking its signature, so it could be invalid. Maybe you have configured your 'urllist' with a bad URL. Please check this array with 'o conf urllist' and retry. Or examine the distribution in a subshell. Try look SCHWIGON/Net-SSH-Perl-1.37.tar.gz and run cpansign -v SCHWIGON/Net-SSH-Perl-1.37.tar.gz Did not pass the signature test. Stopping: 'install' failed for 'Net::SSH::Perl'.

Mon Oct 06 07:49:00 2014 greg [...] turnstep.com - Taken

Mon Oct 06 07:51:29 2014 greg [...] turnstep.com - Correspondence added

Thanks for the report. I just uploaded version 1.38 with a (hopefully) working SIGNATURE file. Please give it a try when it hits your local CPAN.

Mon Oct 06 07:51:30 2014 The RT System itself - Status changed from 'new' to 'open'

Mon Oct 06 07:51:31 2014 greg [...] turnstep.com - Status changed from 'open' to 'patched'

Thu Oct 16 15:56:00 2014 MARKLE [...] cpan.org - Correspondence added

Installation with `cpan` works now with check_sigs. However I get this warning: gpg: Signature made Mon 06 Oct 2014 04:48:03 AM PDT using DSA key ID 14964AC8 gpg: Can't check signature: public key not found Developer keys get imported to GPG with installation of Module::Signature. You have to convince them to add keys there for any Net::SSH::Perl developer who might upload packages. Thanks. -Mark

Fri Nov 27 09:01:04 2015 schwigon [...] cpan.org - Correspondence added

Do you still have this issue with the latest 0.42? Steffen On Thu Oct 16 15:56:00 2014, MARKLE wrote: Show quoted text

> Installation with `cpan` works now with check_sigs. However I get > this warning: > > gpg: Signature made Mon 06 Oct 2014 04:48:03 AM PDT using DSA key ID > 14964AC8 > gpg: Can't check signature: public key not found > > Developer keys get imported to GPG with installation of > Module::Signature. You have to convince them to add keys there for > any Net::SSH::Perl developer who might upload packages. > > Thanks. -Mark

-- Steffen Schwigon <ss5@renormalist.net> Dresden Perl Mongers <http://dresden-pm.org/>