Skip Menu |

This queue is for tickets about the Perl-Dist-Strawberry CPAN distribution.

Report information
The Basics
Id: 99703
Status: resolved
Priority: 0/
Queue: Perl-Dist-Strawberry
People
Owner: Nobody in particular
Requestors: spioch7 [...] gmail.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Tue Oct 21 13:29:13 2014 spioch7 [...] gmail.com - Ticket created
Subject: Invalid package signature for strawberry-perl-5.20.1.1-64bit.msi
Date: Tue, 21 Oct 2014 19:29:02 +0200
To: bug-Perl-Dist-Strawberry [...] rt.cpan.org
From: Michał Goleń <spioch7 [...] gmail.com>
Hello, I tried to update my Perl installation, but it looks like certificate used to sign installation file was revoked. File: strawberry-perl-5.20.1.1-64bit.msi from strawberryperl.com I still use Perl in my build scripts under Unix and Windows, but I cannot install untrusted package due to company's security policies. Is this issue known to You ? Will there be fixed, new package any time soon ? Your sincerely, Michael Golen
  Tue Oct 21 14:00:55 2014 kmx [...] volny.cz - Correspondence added
Subject: Re: [rt.cpan.org #99703] Invalid package signature for strawberry-perl-5.20.1.1-64bit.msi
Date: Tue, 21 Oct 2014 20:00:35 +0200
To: bug-Perl-Dist-Strawberry [...] rt.cpan.org
From: kmx <kmx [...] volny.cz>
Show quoted text
> Hello, > > I tried to update my Perl installation, but it looks like certificate used > to sign installation file was revoked. > > File: strawberry-perl-5.20.1.1-64bit.msi from strawberryperl.com > > I still use Perl in my build scripts under Unix and Windows, but I cannot > install untrusted package due to company's security policies. > > Is this issue known to You ? > Will there be fixed, new package any time soon ?
Hi, I know about this issue (both 32/64bit MSI for 5.20.1.1 are invalid). The trouble is that somebody at Certum CA lost scanned copy of my passport which I have sent them approx. a year ago. Unfortunately the reminder they sent me was "swallowed" by cpan.org's spam filter and they simply revoked my certificate. I am trying to get a new certificate but I am seriously considering to start distributing unsigned MSI files as I am really fed up with dealing with Certum CA. -- kmx
  Tue Oct 21 14:00:55 2014 The RT System itself - Status changed from 'new' to 'open'
  Tue Oct 21 15:14:31 2014 spioch7 [...] gmail.com - Correspondence added
Subject: Re: [rt.cpan.org #99703] Invalid package signature for strawberry-perl-5.20.1.1-64bit.msi
Date: Tue, 21 Oct 2014 21:14:21 +0200
To: bug-Perl-Dist-Strawberry [...] rt.cpan.org
From: Michał Goleń <spioch7 [...] gmail.com>
I think that distributing unsigned MSI is better solution, so system would't complain about invalid signature. Provided SHA-1 is good enough IMHO. GnuPG asc file would be nice(some Linux distros do that), but I don't think that It's necessary. For time being i have manually extracted files, and updated links. It works fine :-) Thanks for your time (and quick answer). -- Michael 2014-10-21 20:00 GMT+02:00 kmx via RT <bug-Perl-Dist-Strawberry@rt.cpan.org> : Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=99703 > > >
> > Hello, > > > > I tried to update my Perl installation, but it looks like certificate
> used
> > to sign installation file was revoked. > > > > File: strawberry-perl-5.20.1.1-64bit.msi from strawberryperl.com > > > > I still use Perl in my build scripts under Unix and Windows, but I cannot > > install untrusted package due to company's security policies. > > > > Is this issue known to You ? > > Will there be fixed, new package any time soon ?
> > Hi, > > I know about this issue (both 32/64bit MSI for 5.20.1.1 are invalid). > > The trouble is that somebody at Certum CA lost scanned copy of my passport > which I have sent them approx. a year ago. Unfortunately the reminder they > sent me was "swallowed" by cpan.org's spam filter and they simply revoked > my certificate. > > I am trying to get a new certificate but I am seriously considering to > start distributing unsigned MSI files as I am really fed up with dealing > with Certum CA. > > -- > kmx > >
  Tue Oct 21 15:21:25 2014 kmx [...] volny.cz - Correspondence added
Subject: Re: [rt.cpan.org #99703] Invalid package signature for strawberry-perl-5.20.1.1-64bit.msi
Date: Tue, 21 Oct 2014 21:21:09 +0200
To: bug-Perl-Dist-Strawberry [...] rt.cpan.org
From: kmx <kmx [...] volny.cz>
Show quoted text
> I think that distributing unsigned MSI is better solution, so system > would't complain about invalid signature.
In fact I can/should replace those MSIs with revoked signature with unsigned MSIs (+update SHA1 checksums). -- kmx
  Sun Nov 30 17:07:14 2014 kmx [...] cpan.org - Correspondence added
The obstacles are too high. I am giving up, all the future MSi packages will be released unsigned.

--
kmx
  Sun Nov 30 17:07:18 2014 kmx [...] cpan.org - Status changed from 'open' to 'resolved'