Codex

Module::Signature

Section: User Contributed Perl Documentation (3pm)

Updated: 2015-05-20

Index?action=index Return to Main Contents


NAME

Module::Signature - Module signature file manipulation

SYNOPSIS

As a shell command:

In programs:

DESCRIPTION

Module::Signature adds cryptographic authentications to CPAN distributions, via the special SIGNATURE file.

If you are a module user, all you have to do is to remember to run (or just ) before issuing or ; that will ensure the distribution has not been tampered with.
Module authors can easily add the SIGNATURE file to the distribution tarball; see ``NOTES'' below for how to do it as part of .
If you really want to sign a distribution manually, simply add to MANIFEST, then type immediately before . Be sure to delete the SIGNATURE file afterwards.

Please also see ``NOTES about MANIFEST.SKIP issues, especially if you are using Module::Build or writing your own MANIFEST.SKIP''.

VARIABLES

No package variables are exported by default.

$Verbose
If true, Module::Signature will give information during processing including gpg output. If false, Module::Signature will be as quiet as possible as long as everything is working ok. Defaults to false.:
$SIGNATURE
The filename for a distribution's signature file. Defaults to .:
$KeyServer
The OpenPGP key server for fetching the author's public key (currently only implemented on , not ). May be set to a false value to prevent this module from fetching public keys.:
$KeyServerPort
The OpenPGP key server port, defaults to .:
$Timeout
Maximum time to wait to try to establish a link to the key server. Defaults to .:
$AutoKeyRetrieve
Whether to automatically fetch unknown keys from the key server. Defaults to .:
$Cipher
The default cipher used by the module to make signature files. Defaults to , but may be changed to other ciphers via the environment variable if the SHA1 cipher is undesirable for the user.
The cipher specified in the SIGNATURE file's first entry will be used to validate its integrity. For , the user needs to have any one of these four modules installed: Digest::SHA, Digest::SHA1, Digest::SHA::PurePerl, or (currently nonexistent) Digest::SHA1::PurePerl.

:

$Preamble
The explanatory text written to newly generated SIGNATURE files before the actual entries.:

ENVIRONMENT

Module::Signature honors these environment variables:

MODULE_SIGNATURE_CIPHER
Works like .:
MODULE_SIGNATURE_VERBOSE
Works like .:
MODULE_SIGNATURE_KEYSERVER
Works like .:
MODULE_SIGNATURE_KEYSERVERPORT
Works like .:
MODULE_SIGNATURE_TIMEOUT
Works like .:

CONSTANTS

These constants are not exported by default.

CANNOT_VERIFY (0E0)
Cannot verify the OpenPGP signature, maybe due to the lack of a network connection to the key server, or if neither gnupg nor Crypt::OpenPGP exists on the system.:
SIGNATURE_OK (0)
Signature successfully verified.:
SIGNATURE_MISSING ("-1")
The SIGNATURE file does not exist.:
SIGNATURE_MALFORMED ("-2")
The signature file does not contains a valid OpenPGP message.:
SIGNATURE_BAD ("-3")
Invalid signature detected --- it might have been tampered with.:
SIGNATURE_MISMATCH ("-4")
The signature is valid, but files in the distribution have changed since its creation.:
MANIFEST_MISMATCH ("-5")
There are extra files in the current directory not specified by the MANIFEST file.:
CIPHER_UNKNOWN ("-6")
The cipher used by the signature file is not recognized by the and modules.:

NOTES

Signing your module as part of make dist

The easiest way is to use Module::Install:

For ExtUtils::MakeMaker (version 6.18 or above), you may do this:

Users of Module::Build may do this:

MANIFEST.SKIP Considerations

(The following section is lifted from Iain Truskett's Test::Signature module, under the Perl license. Thanks, Iain!)

It is imperative that your MANIFEST and MANIFEST.SKIP files be accurate and complete. If you are using and you do not have a MANIFEST.SKIP file, then don't worry about the rest of this. If you do have a MANIFEST.SKIP file, or you use , you must read this.
Since the test is run at time, the distribution has been made. Thus your MANIFEST.SKIP file should have the entries listed below.
If you're using , you should have, at least:
These entries are part of the default set provided by , which is ignored if you provide your own MANIFEST.SKIP file.
If you are using , you should have two extra entries:
If you don't have the correct entries, will complain that you have:

You should note this during normal development testing anyway.

Testing signatures

You may add this code as t/0-signature.t in your distribution tree:

If you are already using Test::More for testing, a more straightforward version of t/0-signature.t can be found in the Module::Signature distribution.

Note that is considered by default only when is set to a true value.

Also, if you prefer a more full-fledged testing package, and are willing to inflict the dependency of Module::Build on your users, Iain Truskett's Test::Signature might be a better choice.

SEE ALSO

Digest, Digest::SHA, Digest::SHA1, Digest::SHA::PurePerl

ExtUtils::Manifest, Crypt::OpenPGP, Test::Signature

Module::Install, ExtUtils::MakeMaker, Module::Build

Dist::Zilla::Plugin::Signature

AUTHORS

XX <[email protected]>

CC0 1.0 Universal

To the extent possible under law, XX has waived all copyright and related or neighboring rights to Module-Signature.

This work is published from Taiwan.

<http://creativecommons.org/publicdomain/zero/1.0>


Index

NAME

SYNOPSIS

DESCRIPTION

VARIABLES

ENVIRONMENT

CONSTANTS

NOTES

Signing your module as part of make dist

MANIFEST.SKIP Considerations

Testing signatures

SEE ALSO

AUTHORS

CC0 1.0 Universal